CN106302502A - A kind of secure access authentication method, user terminal and service end - Google Patents
A kind of secure access authentication method, user terminal and service end Download PDFInfo
- Publication number
- CN106302502A CN106302502A CN201610757520.6A CN201610757520A CN106302502A CN 106302502 A CN106302502 A CN 106302502A CN 201610757520 A CN201610757520 A CN 201610757520A CN 106302502 A CN106302502 A CN 106302502A
- Authority
- CN
- China
- Prior art keywords
- code
- checking
- shared
- message
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
- Computer And Data Communications (AREA)
Abstract
The present embodiments relate to a kind of secure access authentication method, user terminal and service end, this secure access authentication method, including: user terminal sets up equipment secure registration relation to equipment application relation service for checking credentials end transmission facility registration message;User terminal sends authorization request message to equipment application relation service for checking credentials end, sets up application and account and equipment secure registration relation;User terminal provides service end to send application log on request message to application;Application provides service end to send to user terminal and requires equipment application verification message;User terminal provides service end to send equipment application access credentials message to application;Application provides service end to process and sends equipment application access credentials message to equipment application relation service for checking credentials end;Equipment application relation service for checking credentials end is to equipment application access credentials information authentication, and provides service end to send application safety access registrar result to application;Application provides the log on request message of service end response user terminal.
Description
It is that " a kind of enhancing accesses safe information processing that the application is incorporated in the patent name submitted on 04 03rd, 2016
Method, system and equipment " No. 201610204634.8 Chinese patent application.Above-mentioned application is incorporated by reference at this.
Technical field
The present embodiments relate to field of information security technology, be specifically related to a kind of secure access authentication method, use
Family terminal and service end.
Background technology
The attack threat that the private informations such as Internet user is susceptible to apply user identity, password are stolen, invader makes
Accessing user privacy information on unauthorized third party device with the private information obtained, consume or transfer accounts etc. encroaches on behaviour
Make.
There is new technology to strengthen safety when user logs at present, such as two-pass cipher verification technique, need to log in answer every time
With, use the dynamic key that the token device of additional identifying code input or input peripheral produces when network or system, as
Software token and RSA hardware token method, these approaches increases the cost being manually entered identifying code step or hardware management,
The process of raising safety adds user and uses complexity;Need one not only to improve safety but also simplified or do not increase user to make
By the technology of complexity.
A lot of application use the parameter of the mounting hardware of intelligent movable equipment to be used for identifying equipment, such as IMEI, calculate owner
Obtained by the combination calculation of machine name, MAC Address, IMSI, computer hardware sequence number information or computer system preset parameter
Information etc., but these information are prone to simulation, it is thus achieved that or leaked can not meet for equipment unique differentiate higher
Demand for security, so cannot be used for certification to access the authority source authorized.A kind of effective voucher of dynamic authentication is needed to ensure
Confidentiality and effectiveness.
Client certificate certification can solve user's uniqueness certification when logging in theory, but due to expensive solution
Certainly managing cost under scheme and line, current interconnection architecture cannot be embodied as major part client device access the Internet provides this
Security service, needs the technology of automatization that is a kind of cheap and that be easily managed to strengthen user and logs in, the checking of service.
It is currently used for hardware adaptor Key of checking and identification, the U-shield used such as bank, the SecurID of RSA company,
Use portable hardware cell to store key, use offline mode distribution customer terminal key to ensure safety, use off-line and static person
The mode that work is safeguarded loads service end key, and hardware sequence number or device id by storage key associate signature key and test
Card key, this mode solves safety problem, also significantly limit versatility;It is attached that the most this method needs user to manage
Add the cost of hardware, if especially secret key lifetime is limited to the phase, the most commercial hardware Key equipment, such as RSA SecurID only
The method that can take to exchange new hardware for;Need one can produce online and update client key and service end key and from
The technology of dynamic association and system.
Now phone number and mail are the commonly used identifying code of people and the transmission major way of authorization code, if awarded
Power note code or the authorization message of other forms, Quick Response Code, mail is stolen, it is possible to authorize other equipment to access application account
Family, needs a kind of technology to prevent authorization code or identifying code from authorizing illegality equipment or by setting of falsely using in the case of being falsely used
Standby access user account and service, both needed a kind of authority checking code uniquely corresponding appointment application account with service to specifying user
The mandate of end equipment or verification technique method.
The checking used in network at present, the safe practice method such as signature, be required for faced by, birthday attack, Brute Force
Attack or the threat of the man-in-the-middle attack key to producing voucher, need one can improve or strengthen violence and crack attack,
The threat of birthday attack, can detect the technology of man-in-the-middle attack threat thus improve safe class.
Along with mobile computing device is popularized rapidly, wearable device and Internet of Things development, possess setting of intelligence computation ability
For expanding rapidly, need authentic equipment can steeply rise for the key demand of certification, it is desirable to provide the key of certification
There is huge autgmentability, using the teaching of the invention it is possible to provide huge extending space is used for identification and the operating capability of the following various equipment of Internet of Things.
In existing method, still not having a kind of based on the shared code of many dynamic devices checking, code mixing is shared in dynamic key identification
Individual secure unit is used for providing the access verification technique of equipment application and account access voucher to solve the problems referred to above.
Summary of the invention
Solve the technical problem that it is how to improve the safety that user accesses.
For defect of the prior art, the embodiment of the present invention provides one secure access authentication method, user eventually
End and service end, can be effectively improved the safety that user accesses.
First aspect, embodiments provides a kind of secure access authentication method, including:
User terminal sends facility registration message to equipment application relation service for checking credentials end and sets up equipment secure registration relation;
Described user terminal sends authorization request message to described equipment application relation service for checking credentials end, and according to described
Equipment secure registration relation sets up application and account and equipment secure registration relation;
Described user terminal provides service end to send application log on request message to application;
Described application provides service end to send to described user terminal and requires equipment application verification message;
Described user terminal provides service end to send equipment application access credentials message to described application;
Described application provides service end to process and sends the application of described equipment to described equipment application relation service for checking credentials end
Access credentials message;
Described equipment application relation service for checking credentials end according to described application and account with equipment secure registration relation to described
Equipment application access credentials information authentication, and provide service end to send application safety access registrar result to application;
Application provides service end according to the application log on request of described application safety access registrar result response user terminal
Message.
Alternatively, described user terminal sends facility registration message to equipment application relation service for checking credentials end and sets up equipment peace
Full registration relation includes;
Described user terminal and described equipment application relation service for checking credentials end consult the first shared code of dynamic device checking and
Code is shared in second dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end;Described set
Standby application relation service for checking credentials end is that the first dynamic device that described first dynamic device checking shared code division pairing is answered is verified altogether
Enjoying code registration ID, code registration is shared in the second dynamic device checking answered for described second dynamic device checking shared code division pairing
ID;
Described equipment application relation service for checking credentials end moves according to described the first of described equipment application relation service for checking credentials end
Code is shared in state device authentication and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code;
Described equipment application relation service for checking credentials end sends the described first dynamic device checking of band altogether to described user terminal
The dynamic device enjoying code registration ID and the second dynamic device checking shared code registration ID shares code checking message;Wherein, dynamically set
Standby code checking message of sharing includes: dynamic device shares code checking message sub-message body voucher, dynamic device is shared code checking and disappeared
Breath signature;
Described user terminal is shared code and second according to the described first dynamic device checking of described user terminal and is dynamically set
Standby checking is shared code checking dynamic device and is shared code checking message sub-message body voucher, uses described equipment application relation checking clothes
Dynamic device described in business device public key verifications shares code checking information signature, generates facility registration voucher after being verified;
Described user terminal sends to described equipment application relation service for checking credentials end and carries described facility registration voucher, described
Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in first dynamic device checking;
Described equipment application relation service for checking credentials end is tested according to described first dynamic device in described facility registration message
Card shares code registration ID and the checking of the second dynamic device share code registration ID corresponding at equipment application relation service for checking credentials end
Code is shared in described first dynamic device checking, described second dynamic device checking is shared code and verified described facility registration message;
After described facility registration information authentication passes through, described equipment application relation service for checking credentials end is taken to user terminal feedback
Carrying device accreditation verification result and described first dynamic key identification are shared the facility registration of code and are confirmed message.
Alternatively, described facility registration message includes: code registration is shared in facility registration voucher, the first dynamic device checking
One or more in code registration ID are shared in ID, the second dynamic device checking.
Alternatively, described dynamic device share code checking message include:
Dynamic device is shared code and is verified that main message body and dynamic device share code checking information signature;
Described dynamic device is shared the code checking main message body of message and is included that dynamic device shares the code checking sub-message body of message
Code checking message sub-message body voucher is shared with dynamic device;
Described sub-message body includes that code registration ID is shared in the first dynamic device checking and code is shared in the checking of the second dynamic device
Registration ID and random number salt figure;
Described dynamic device share code checking message sub-message body voucher be described first dynamic device checking share code and
Described second dynamic device checking shares what code produced;
It is that described equipment application relation authentication server uses private key that described dynamic device shares code checking information signature
Dynamic device is shared what code checking message main message body signature obtained.
Alternatively, described user terminal sends authorization request message to described equipment application relation service for checking credentials end, and
Set up application according to described equipment secure registration relation and account include with equipment secure registration relation:
The application authorization request message that described application provides service end to receive described user terminal processes, and sends to described
Equipment application relation service for checking credentials end;
Described equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to described application authorization request message
And send to described application offer service end;
Described application provides service end sequentially to send described dynamic authorization code ciphertext and stochastic generation to described user terminal
Number;
The mandate that described user terminal generates band authorized certificate according to described dynamic authorization code and described stochastic generation number rings
Answering information and sending to provide service end to described application, described authorization messages includes described stochastic generation number and dynamic authorization code
Ciphertext;
The authorization response message that described application provides service end to receive described user terminal processes, and sends to described equipment
Application relation service for checking credentials end;
According to described equipment secure registration relation, described equipment application relation service for checking credentials end verifies that described authorization response disappears
After breath, then verify described dynamic authorization code ciphertext and provide service end to confirm knot to user terminal feedback application by described application
Really.
Alternatively, described equipment application relation service for checking credentials end generates dynamic authorization according to described application authorization request message
Code ciphertext includes:
Dynamic authorization code is generated according to described authorization request message;
Dynamic authorization key is generated according to described authorization request message;
Use dynamic authorization code encryption described in described dynamic authorization double secret key;
To include that described dynamic authorization code ciphertext and the first dynamic key identification share the authorization code message transmission of code to institute
State application and service end is provided.
Alternatively, described equipment application relation service for checking credentials end verifies described mandate according to described equipment secure registration relation
After response message, then verify authorization code ciphertext and provide service end to confirm result to user terminal feedback application by described application
Including:
Whether the authorized certificate in use equipment secure registration relation checking message mates;Then equipment secure registration is used
The authorization code secret key decryption authorization code ciphertext of relation service end, the authorization code after checking deciphering is verified with described equipment application relation
Whether the authorization code of service end distribution mates;
If all pass through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and authorize the time and
Device relationships is added in equipment list of application.
Alternatively, also include updating described equipment secure registration relation:
Described user terminal and described equipment application relation service for checking credentials end consult the 3rd shared code of dynamic device checking and
Code is shared in 4th dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end;
Described equipment application relation service for checking credentials end moves according to the described 3rd of described equipment application relation service for checking credentials end the
Code is shared in state device authentication and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code;
Described equipment application relation service for checking credentials end sends to described user terminal and carries described second dynamic key identification altogether
Enjoy code and the requirement renewal of the equipment message of code is shared in the first dynamic key identification;
Described user terminal shares code, the second dynamic device according to the described first dynamic device checking of described user terminal
Code is shared in checking, code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking
Share code and the second dynamic key identification is shared code and generated dynamic equipment upgrading message, and the extremely described equipment application relation that sends is tested
Card service end;Described dynamic equipment upgrading message includes user terminal more new registration voucher, described first dynamic key identification altogether
Enjoy code and code is shared in described second dynamic key identification;
Described equipment application relation service for checking credentials end dynamically sets according to the first of described equipment application relation service for checking credentials end
Code is shared in standby checking, code is shared in the second dynamic device checking, code is shared in described first dynamic key identification, the 3rd dynamic device is tested
Card shares code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified that described dynamic equipment upgrading disappears
Breath;
Described equipment application relation service for checking credentials end dynamically sets according to the 3rd of described equipment application relation service for checking credentials end the
Code is shared in standby checking, the 4th dynamic device verifies that shared code, the second dynamic key identification share code, the first dynamic device checking altogether
Enjoy code, code is shared in the second dynamic device checking and described first dynamic key identification is shared code and generated renewal of the equipment confirmation message;
Described equipment application relation service for checking credentials end updates accreditation verification result to user terminal feedback device.
Alternatively, described equipment application relation service for checking credentials end updates accreditation verification result bag to user terminal feedback device
Include:
Described equipment application relation service for checking credentials end updates to user terminal feedback device and confirms message;
Described user terminal shares corresponding the 3rd dynamically the setting of code according to the second dynamic key identification of described user terminal
Code is shared in standby checking and the shared yardage of the 4th dynamic device checking is calculated described renewal of the equipment and confirmed the main message body voucher of message, and
The first shared code of dynamic device checking and second that the first dynamic key identification according to described user terminal shares code corresponding moves
State device authentication is shared yardage and is calculated the sub-message body voucher of described renewal of the equipment confirmation message, main message body voucher calculating arrived
Checking is compared with corresponding main message body voucher and the sub-message body voucher sent in message with sub-message body voucher;
As checking is all passed through, the 3rd dynamic device checking of described user terminal is shared code by the most described user terminal, the
Code is shared in four dynamic device checkings and corresponding described second dynamic key identification is shared code and is set as the state of succeeding in registration;
Described user terminal preserves described second dynamic key identification and shares code;
Described user terminal sends to carry to described equipment application relation service for checking credentials end and uses the of described user terminal
Codes are shared in three dynamic devices checkings and facility registration voucher that code produces and described second dynamic is shared in the checking of the 4th dynamic device
The renewal of the equipment registration message of code is shared in key identification;
Described equipment application relation service for checking credentials end dynamically sets according to the 3rd of described equipment application relation service for checking credentials end the
Code is shared in standby checking, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified described renewal of the equipment note
Volume message;
Described equipment application relation service for checking credentials end updates accreditation verification result to user terminal feedback device.
Alternatively, described user terminal more new registration voucher include described dynamic equipment upgrading message main message body voucher and
Described dynamic equipment upgrading message sub-message body voucher:
The described dynamic equipment upgrading message sub-message body described user terminal of voucher is according to described in described user terminal
Code is shared in 3rd dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
The described dynamic equipment upgrading message main message body described user terminal of voucher is according to described in described user terminal
Code is shared in first dynamic device checking and the shared code of the second dynamic device checking is calculated.
Alternatively, described require that equipment application verification message carries Dialog processing ID.
Alternatively, described user terminal provides service end transmission equipment application access credentials message to include to described application:
Produce equipment application access credentials message body including described Dialog processing ID;Calculate and described Dialog processing ID pair
The equipment application access credentials message body voucher answered;
Generate the equipment application including equipment application access credentials message body and equipment application access credentials message body voucher
Access credentials message;
Transmission equipment application access credentials message provides server to application.
Alternatively, described equipment application relation service for checking credentials end is according to described application and account and equipment secure registration relation
To described equipment application access credentials information authentication:
Use the first dynamic key identification to share code in application relation authentication server, search the first dynamic device checking
Share code and code is shared in the checking of the second dynamic device;
Use first dynamic device checking share code and the second dynamic device checking share yardage calculate equipment application access with
The message body voucher of card message;
Relatively calculate gained voucher the most consistent with the voucher sent in message;If result is consistent, check the most further
Whether corresponding application and account have application and the mandate relation of account of request in message with equipment secure registration relation, from
And obtain checking result.
On the other hand, the embodiment of the present invention also provides for a kind of secure access certification user terminal, including:
Facility registration unit, sets up equipment safety for sending facility registration message to equipment application relation service for checking credentials end
Registration relation;
Application granted unit, is used for described equipment application relation service for checking credentials end transmission authorization request message, and according to
Described equipment secure registration relation sets up application and account and equipment secure registration relation;
Log on request unit, for providing service end to send application log on request message to application;
Safety certification request unit, for providing service end to send out to described equipment application relation service for checking credentials end by application
Equipment application verification is sent to ask message;Described equipment application access credentials message is that application provides service end to described log on request
The requirement equipment application verification message that unit sends generates;
Login unit, for providing the response results that logs in of service end to respond log on request message, institute according to described application
State log in response results be application provide service end according to described in the described equipment application relation service for checking credentials end application and account and
Equipment secure registration relation is to generation after described equipment application access credentials information authentication.
Alternatively, facility registration unit, including:
Code negotiation element is shared in first dynamic device checking, for consulting to produce with described equipment application relation service for checking credentials end
Code is shared in raw first dynamic device checking and code is shared in the checking of the second dynamic device, and is respectively stored in user terminal and described sets
Standby application relation service for checking credentials end;
Facility registration request unit, for generating and sending Portable device note to described equipment application relation service for checking credentials end
The facility registration message of volume voucher;Described facility registration message includes: code registration ID and second is shared in the first dynamic device checking
Code registration ID is shared in dynamic device checking;
Code registration ID and described second dynamic device checking shared code registration ID is shared in described first dynamic device checking
Described equipment application relation service for checking credentials end is that code is shared in described first dynamic device checking and the checking of the second dynamic device is shared
The corresponding registration ID that code division is joined sends to described user terminal after generating;
Described facility registration message is that code is shared in the described first dynamic device checking being stored in user terminal described in basis
Share code with the second dynamic device checking, and code registration ID is shared in described first dynamic device checking and the second dynamic device is tested
Card shares what code registration ID generated;
Facility registration confirmation unit, for receiving the first dynamic key identification of described equipment application relation service for checking credentials end
Sharing code and accreditation verification result verification and preserve, described accreditation verification result is described equipment application relation service for checking credentials end root
Share code according to the first dynamic device checking of described equipment application relation service for checking credentials end, the second dynamic device checking shares code altogether
Obtain after enjoying the code described facility registration message of checking;
It is that described equipment application relation service for checking credentials end should according to described equipment that code is shared in described first dynamic key identification
Share code with the described first dynamic device checking of relation service for checking credentials end and the checking of the second dynamic device shares what code generated.
Alternatively, described facility registration message includes: code registration is shared in facility registration voucher, the first dynamic device checking
Code registration ID is shared in ID, the second dynamic device checking.
Alternatively, described application granted unit, including;
Application authorization requests unit, is used for generating and providing service end to send by described application closing to the application of described equipment
It is that service for checking credentials end sends authorization request message;
Application authorization response unit, is used for generating and providing service end to send by described application closing to the application of described equipment
It is that service for checking credentials end sends authorization response message;Described authorization response message is according to dynamic authorization code ciphertext and stochastic generation number
Generate, described authorization response message band authorized certificate;Described dynamic authorization code ciphertext is described equipment application relation checking clothes
Business end provides service end to send by described application after generating according to described application authorization request message, described stochastic generation number
It is that described application provides service end to send after described user terminal sends described dynamic authorization code;
Application license confirmation unit, for receiving the application license confirmation result of described equipment application relation service for checking credentials end
Verifying and preserve, described license confirmation result is that described equipment application relation service for checking credentials end is tested according to described equipment application relation
Code is shared in first dynamic device checking of card service end, code is shared in the second dynamic device checking and the first dynamic key identification is shared
After code verifies described authorization response message, then verify what authorization code ciphertext obtained.
Alternatively, described log on request unit, also include apply access credentials unit for produce equipment application access with
Card message body;Calculating equipment application access credentials message body voucher;Generation includes equipment application access credentials message body and equipment
The equipment application access credentials message of application access credentials message body voucher;There is provided server to send equipment application to application to access
Credential message.
Alternatively, also include, facility registration updating block, including:
Code negotiation element is shared in second dynamic device checking, for consulting to produce with described equipment application relation service for checking credentials end
Code is shared in raw 3rd dynamic device checking and code is shared in the checking of the 4th dynamic device, and is respectively stored in user terminal and described sets
Standby application relation service for checking credentials end;
Renewal of the equipment registration request unit, sets for generating and sending to carry to described equipment application relation service for checking credentials end
The standby dynamic equipment upgrading message updating voucher;Described dynamic equipment upgrading message is to be stored in the root of user terminal described in basis
According to described user terminal described first dynamic device checking share code, second dynamic device checking share code, described first move
Code is shared in state key identification, code is shared in the 3rd dynamic device checking, code and the second dynamic key are shared in the 4th dynamic device checking
Identifying and share what code generated, it is that described equipment application relation service for checking credentials end is according to institute that code is shared in described second dynamic key identification
Code and the shared code of the 4th dynamic device checking are shared in the described 3rd dynamic device checking stating equipment application relation service for checking credentials end
Send to described user terminal after generation;
Renewal of the equipment accreditation verification unit, for receiving the accreditation verification result of described equipment application relation service for checking credentials end
Verifying and preserve, described renewal accreditation verification result is that described equipment application relation service for checking credentials end closes according to the application of described equipment
It is the first shared code of dynamic device checking of service for checking credentials end, the second dynamic device checking shared code, described first dynamic key
Identify that shared code, the second dynamic device checking share code, code is shared in the 3rd dynamic device checking and the 4th dynamic key identification is total to
Obtain after enjoying the code described dynamic equipment upgrading message of checking.
Alternatively, described user terminal more new registration voucher includes that dynamic equipment upgrading message main message body voucher is with dynamic
Renewal of the equipment message sub-message body voucher:
The described dynamic equipment upgrading message sub-message body described user terminal of voucher is according to described in described user terminal
Code is shared in 3rd dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
User terminal described in described dynamic equipment upgrading message main message body voucher is according to described the of described user terminal
Code is shared in one dynamic device checking and the shared code of the second dynamic device checking is calculated.
On the other hand, the embodiment of the present invention also includes a kind of equipment application relation service for checking credentials end, it is characterised in that bag
Include:
Facility registration confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration pass
System;
Application license confirmation unit, for receiving the authorization request message that user terminal sends, and pacifies according to described equipment
Full registration relation sets up application and account and equipment secure registration relation;
Safety certification request confirmation unit, for receiving the equipment application access credentials providing service end to send by application
Message;Described equipment application access credentials message is the requirement equipment that application provides that service end sends to described log on request unit
Application verification message generates;
Log in response unit, for the application of described equipment being visited with equipment secure registration relation according to described application and account
Generate application safety access registrar result after asking credential message checking and log in response results by applying offer service end to send,
Described user terminal provides the response results that logs in of service end to respond log on request message according to described application.
Alternatively, described facility registration confirmation unit includes:
Code negotiation element is shared in first dynamic device checking, consults the first dynamic device for producing with described user terminal
Code is shared in checking and code is shared in the checking of the second dynamic device, and is respectively stored in user terminal and the checking of described equipment application relation
Service end;Described first answered for the described first shared code of dynamic device checking and the second dynamic device checking shared code division pairing
Code registration ID is shared in dynamic device checking and code registration ID is shared in the checking of the second dynamic device;
Code signal generating unit is shared in first dynamic key identification, for the institute according to described equipment application relation service for checking credentials end
State the first dynamic device checking share code and the second dynamic device checking shared code generation and send first to described user terminal
Code is shared in dynamic key identification;
Facility registration confirmation unit, the facility registration message sent for receiving described user terminal should according to described equipment
Code, the second shared code of dynamic device checking and the first dynamic key is shared with the first dynamic device checking of relation service for checking credentials end
After identifying that sharing code verifies described facility registration message, and send facility registration confirmation result to described user terminal;Described set
Standby registration message is that code and the second dynamic device are shared in the described first dynamic device checking being stored in user terminal described in basis
Code is shared in checking and code registration ID is shared in described first dynamic device checking and code registration ID is shared in the checking of the second dynamic device
Generate, described facility registration message Portable device registration voucher and described first dynamic device checking share code registration ID and
Code registration ID is shared in second dynamic device checking.
Alternatively, application license confirmation unit includes;
Application authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to described application
Authorization request message generates dynamic authorization code ciphertext provides service end to send to described user terminal by described application;
Application authorization response processing unit, receives the authorization response message that user terminal sends, and should according to described equipment
Code, the second shared code of dynamic device checking and the first dynamic key is shared with the first dynamic device checking of relation service for checking credentials end
Identify that sharing code verifies after described authorization response message, then after verifying dynamic authorization code ciphertext, generate authorization notification message and also lead to
Crossing application provides service end to send to described user terminal;Described authorization response message be described user terminal according to described dynamically
Authorization code ciphertext and stochastic generation number generate, and described authorization response message band authorized certificate, described stochastic generation number is described
Application provides service end to send after described user terminal sends dynamic authorization code ciphertext.
Alternatively, described equipment application relation service for checking credentials end generates dynamic authorization according to described application authorization request message
Code includes:
Dynamic authorization code is generated according to described authorization request message;
Dynamic authorization key is generated according to described authorization request message;
Use dynamic authorization code encryption described in described dynamic authorization double secret key;
Service end is provided to described application by described dynamic authorization code ciphertext transmission.
Alternatively, described generation authorization notification message includes:
Whether the authorized certificate in use equipment secure registration relation checking message mates;Then equipment secure registration is used
The authorization code ciphertext of the authorization code secret key decryption that relation is corresponding, the authorization code after checking deciphering is verified with described equipment application relation
Whether the authorization code of service end distribution mates;
If all pass through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and authorize the time with
Device relationships is added in equipment list of application.
Alternatively, described in log in response unit and also include, log on request authentication unit is used for,
Use the first dynamic key identification to share code in application relation authentication server, search the first dynamic device checking
Share code and code is shared in the checking of the second dynamic device;
Use first dynamic device checking share code and the second dynamic device checking share yardage calculate equipment application access with
The message body voucher of card message;
The most consistent with the voucher sent in message for comparing calculating gained voucher;
If result is consistent, then checks whether corresponding application and account have with equipment secure registration relation further and disappear
The application asked in breath and the mandate relation of account, thus obtain checking result.
Alternatively, also include, facility registration renewal confirmation unit:
Code negotiation element is shared in second dynamic device checking, for testing with described user terminal negotiation the 3rd dynamic device that sets
Card shares code and code is shared in the checking of the 4th dynamic device, and is respectively stored in user terminal and described equipment application relation checking clothes
Business end;
Code signal generating unit is shared in second dynamic key identification, for the institute according to described equipment application relation service for checking credentials end
State the 3rd dynamic device checking share code and the 4th dynamic device checking shared code generation and send second to described user terminal
Code is shared in dynamic key identification.
Renewal of the equipment registration request confirmation unit, for receiving the dynamic equipment upgrading message that user terminal sends, and root
According to described equipment application relation service for checking credentials end first dynamic device checking share code, second dynamic device checking share code,
Code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, code and the is shared in the 4th dynamic device checking
Two dynamic key identifications are shared and are obtained updating registration confirmation message after code verifies described dynamic equipment upgrading message, and to described use
Family terminal sends;Described dynamic equipment upgrading message is to be stored in the institute according to described user terminal of user terminal described in basis
State the first dynamic device checking share code, the second dynamic device checking share code, described first dynamic key identification share code, the
Code is shared in three dynamic device checkings, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated;Dynamic
State renewal of the equipment message Portable device more new registration voucher.
Alternatively, terminal more new registration voucher in described family includes dynamic equipment upgrading message main message body voucher and dynamically sets
Standby more new information message body voucher:
The described dynamic equipment upgrading message sub-message body described user terminal of voucher is according to described in described user terminal
Code is shared in 3rd dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
User terminal described in described dynamic equipment upgrading message main message body voucher is according to described the of described user terminal
Code is shared in one dynamic device checking and the shared code of the second dynamic device checking is calculated.
As shown from the above technical solution, the embodiment of the present invention provide secure access authentication method, user terminal and
Service end can be effectively ensured the application of user terminal by the way of the double authentication of device authentication and application and account authorization
Access the Information Security of application service end, the professional application network pipe of enterprise, mechanism can be helped by the embodiment of the present invention
The border that application of having got a haircut accesses, and equipment.User can by the way of above-mentioned authorisation device and application and accounts.This
Inventive embodiments is suitable for Self-Service pattern, is suitable for changeable, public user demand flexibly.Corporate intranet can use automatization
Affiliated enterprise takes the mode of operation department orally and configures application and device relationships automatically, thus saves the self-service mandate of each employee
Process, thus realize enterprise IT access end equipment border control.Method described in the embodiment of the present invention is passed through by application account
Authorizing and access authentication mechanism on the computer intelligence equipment accessed, after password is stolen, third party device is owing to being not authorized to
And can not access, system and account-holder are owing to can reveal and remedy security breaches in time by very first time perception password.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing work one used simply is introduced, it should be apparent that, the accompanying drawing in describing below is this
Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to root
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is secure access authentication method schematic flow sheet in one embodiment of the invention;
Fig. 2 provides service end and the equipment application relation service for checking credentials for user terminal, application in one embodiment of the invention
End linking relationship schematic diagram;
Fig. 3 is that in one embodiment of the invention, user terminal structure is intended to;
Fig. 4 is to set up equipment secure registration relation schematic flow sheet in one embodiment of the invention;
Fig. 5 is to set up equipment secure registration relation schematic flow sheet in another embodiment of the present invention;
Fig. 6 is to set up application and account and equipment secure registration relation schematic flow sheet in one embodiment of the invention;
Fig. 7 is to set up application and account and equipment secure registration relation schematic flow sheet in another embodiment of the present invention;
Fig. 8 is that in one embodiment of the invention, user terminal logs in safety verification flow process schematic diagram;
Fig. 9 is that in another embodiment of the present invention, user terminal logs in safety verification flow process schematic diagram;
Figure 10 is more new equipment secure registration relation schematic flow sheet in one embodiment of the invention;
Figure 11 is more new equipment secure registration relation schematic flow sheet in another embodiment of the present invention;
Figure 12 is that in one embodiment of the invention, user terminal produces message voucher schematic flow sheet;
Figure 13 is user terminal structural representation in one embodiment of the invention;
Figure 14 is the facility registration cellular construction schematic diagram of user terminal in one embodiment of the invention;
Figure 15 is the application granted unit structural representation of user terminal in one embodiment of the invention;
Figure 16 is the facility registration updating block structural representation of user terminal in one embodiment of the invention;
Figure 17 is equipment application relation service for checking credentials end structure schematic diagram in one embodiment of the invention;
Figure 18 is the facility registration confirmation unit structure of equipment application relation service for checking credentials end in one embodiment of the invention
Schematic diagram;
Figure 19 is the application license confirmation cellular construction of equipment application relation service for checking credentials end in one embodiment of the invention
Schematic diagram;
Figure 20 is that the facility registration of equipment application relation service for checking credentials end in one embodiment of the invention updates confirmation unit
Structural representation.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
The a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under not making creative work premise, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, the embodiment of the present invention provides one secure access authentication method, including: user terminal is to setting
Standby application relation service for checking credentials end sends facility registration message and sets up equipment secure registration relation;User terminal is applied to equipment
Relation service for checking credentials end sends authorization request message, and sets up application and account and equipment safety according to equipment secure registration relation
Registration relation;User terminal provides service end to send application log on request message to application;Application provides service end to user eventually
End transmission requires equipment application verification message;User terminal provides service end to send equipment application access credentials message to application;
Application provides service end to process and sends equipment application access credentials message to equipment application relation service for checking credentials end;Equipment is applied
Relation service for checking credentials end provides service end to send equipment according to the result after checking equipment application access credentials message and to application
Application verification results messages;Application provides service end to tie according to the application safety access registrar in equipment application verification results messages
Fruit responds the application log on request message of user terminal.Below to the secure access authentication processing side provided by the embodiment of the present invention
Method launches detailed description.
As in figure 2 it is shown, the secure access authentication method that the embodiment of the present invention provides is mainly used in by network even
In the internet system of the user terminal, application offer service end and the equipment application relation service for checking credentials end that connect.User terminal is
Need to provide with application service end to set up safety applications when being connected, safety certification each that needs the most through safety certification accord with
Plant communication equipment, such as mobile phone, PAD, PC, possess the various smart machines etc. of networked capabilities.The equipment application relation service for checking credentials
End is the service equipment of the equipment application relation client on managing user terminal, and equipment application relation service for checking credentials end is sentenced
Whether disconnected equipment application access credentials message controls oneself mandate for the account access of applications client application or service access
Equipment and provide corresponding behavior to be indicated to application service end to be provided, such as, there is the server of safety certification function
To realize the embodiment of the present invention.Application provides service end to refer to the various various servers providing expection service for user terminal;
Application provides service end its user equipment access relation credential verification result utilizing equipment application relation service for checking credentials end to provide
Determine can finally be provided to the service response of terminal use.The such as management of mail server, code security server, archive information
Management server, message management server etc..
As it is shown on figure 3, user terminal can include applications client, equipment application relation client and individual secure list
Unit.Applications client refers to initiate various local programs and the application of the application service request that user specifies, and it is responsible for transferring this
Is produced from ground equipment application relation client end AP I (application programming interface, Application Programming Interface)
Raw user equipment access relation voucher also embeds, this service, the service that obtains in the flow process applied.Wherein equipment application relation client
End refers to operate in applies offer initiating equipment access credentials service, the safe encryption and decryption of local information for user on ustomer premises access equipment
Service, checking and the general name of all software assemblys of signature function, it provides the UI with user exchange simultaneously, is responsible for directly with only
Vertical safe unit collaborative work, with equipment application relation service for checking credentials end session, assists or directly produces key, updating.Equipment
Application relation client is to provide the function of safety certification or access credentials service and encrypting and decrypting service in fact to applications client
Body;Individual secure unit refers to the unit that can provide following any one or more ability that user terminal and system include,
Including providing credible and secure calculating, safety storage, the computer untrusted location of safe UI service, embedded system, built-in security
Hardware cell and system or firmware unit.Individual secure unit only provides clothes listed above to equipment application relation client
Business, in practicality, partial function can realize in equipment application relation client.
As shown in Figure 4, in embodiments of the present invention, user terminal needs to be verified by equipment application relation service for checking credentials end
Time, need first to submit to equipment secure registration to make user terminal verify with equipment application relation to equipment application relation service for checking credentials end
Equipment secure registration relation is set up between service end.Specifically, user terminal sends to equipment application relation service for checking credentials end and sets
Standby registration message is set up equipment secure registration relation and is included: user terminal and equipment application relation service for checking credentials end are consulted first and moved
Code is shared in state device authentication and code is shared in the checking of the second dynamic device, is respectively stored in user terminal and the checking of equipment application relation
Service end;Equipment application relation service for checking credentials end is that the first dynamic device that the first dynamic device checking shared code division pairing is answered is tested
Card shares code registration ID, is that code registration is shared in the second dynamic device checking that the second dynamic device checking shared code division pairing is answered
ID;Equipment application relation service for checking credentials end according to equipment application relation service for checking credentials end first dynamic device checking share code and
The second shared code of dynamic device checking generates the first dynamic key identification and shares code;Described equipment application relation service for checking credentials end to
Described user terminal sends the described first dynamic device checking shared code registration ID of band and code note is shared in the checking of the second dynamic device
The dynamic device of volume ID shares code checking message;Wherein, dynamic device share code checking message include: dynamic device is shared code and is tested
Card message sub-message body voucher, dynamic device share code checking information signature;User terminal is dynamic according to the first of user terminal
Code is shared in device authentication and the checking of the second dynamic device is shared code checking dynamic device and shared code checking message sub-message body voucher,
Use equipment application relation authentication server public key verifications dynamic device shares code checking information signature, generates and set after being verified
Remarks volume voucher;User terminal sends Portable device registration voucher and the first dynamic device to equipment application relation service for checking credentials end
Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in checking;Equipment application relation is verified
Service end shares code registration ID according to the first dynamic device checking in facility registration message and the checking of the second dynamic device is shared
Code is shared in the first dynamic device checking at application relation service for checking credentials end corresponding for code registration ID, above-mentioned second dynamic device is tested
Card shares code verification device registers message;After facility registration information authentication passes through, equipment application relation service for checking credentials end is to user
Terminal feedback Portable device accreditation verification result and the first dynamic key identification are shared the facility registration of code and are confirmed message.
When being embodied as, as Fig. 5 is equipment application relation client registers flow chart in the embodiment of the present invention.At this
In bright embodiment, user terminal is when equipment application relation service for checking credentials end is registered, and user terminal needs first and equipment application relation
Service for checking credentials end sets up session connection.Specifically, equipment application relation client is set up with equipment application relation service for checking credentials end
Session or encryption session connection in plain text;Equipment application relation client is uncommon by preset public key cryptography checking session the other side
The equipment application relation service for checking credentials end hoped.
As it is shown in figure 5, user terminal and equipment application relation service for checking credentials end consult the first dynamic device checking shares code
Share code with the second dynamic device checking, be respectively stored in user terminal and equipment application relation service for checking credentials end.
Specifically, step S21 produces the first shared code of dynamic device checking and is respectively stored in user terminal and equipment application
Relation service for checking credentials end;In step S21, the first dynamic device checking is shared code and can be used ECDH algorithm, Diffie-Hel
Lman Diffie-Hellman or RSA key reliable delivery.Preferably use ECDH algorithm can obtain higher calculating to imitate
Rate, key length shorter under equal level of security.
Step S21 needs to combine in equipment application relation client and individual secure unit to calculate and preserve key seed letter
Breath, then produces final key based on this seed information and shares code as the first dynamic device checking.
Mode one: the open parameter of computation key is passed to independent peace by step S22 by equipment application relation client
Full unit, calculates seed information and final key based on this seed information, this side of key in individual secure unit
Method ensure that the higher level safety of seed information and key.
Mode two: step S21 is run program by equipment application relation client and calculated seed information, and generates final close
Key, the i.e. first dynamic device checking is shared code, is shared code by step S22 based on the dynamic device checking that seed information obtains and note
Volume is to individual secure unit;Mode two safety is slightly less than mode one, but it is relatively low to realize difficulty.
Preferably, seed information and key when being embodied as, the i.e. first dynamic device checking shares code at individual secure list
Unit calculates and produces.During enforcement, step S23 equipment application relation service for checking credentials end distributes the first dynamic device checking and shares code note
It is corresponding that code is shared in volume ID and the first dynamic device checking;In inventive embodiments, code registration ID use is shared in the first dynamic device checking
In labelling subscriber terminal equipment registration process, code is shared in the checking of labelling the first dynamic device.As it is shown in figure 5, similarly, with step
Rapid S21 is similar to step S22, and step S24 to step S25 produces the second shared code of dynamic device checking and is respectively stored in user eventually
End and equipment application relation service for checking credentials end.Step S26 equipment application relation service for checking credentials end distributes the second dynamic device simultaneously
Code registration ID is shared in checking.Code registration ID and the second dynamic device are shared in first dynamic device checking of step S23 and S26 distribution
Checking is shared code registration ID and is had dual function, shares illustrating as a example by code registration ID below by the first dynamic device checking: a side
Face, the first dynamic device checking is shared code registration ID labelling and registered specifically is unique, if verifying do not have in checking flow process
Pass through, then current registration code just lost efficacy, thus prevented Replay Attack;If on the other hand communication disruption during registration,
The first dynamic device checking shared code registration ID can be continuing with in newly-established link and complete flow process as shown in Figure 5, protect
Hinder the integrity of communication process thus adapt to changeable complex network environment.
As it is shown in figure 5, equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end
Code is shared in device authentication and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code.Specifically, step
When code is shared in S27 calculating dynamic key identification, use the first dynamic device checking to share code and the checking of the second dynamic device is shared
Code encryption produces, and AES includes but not limited to it can is AES256, AES192, preferably use AES256 or use and its
The algorithm of the national authentication of level of security equivalent and key strength;Safe key length and algorithm are continuous along with computer science
Evolution, the embodiment of the present invention is followed safety verification rank and is used rule and the algorithm of national authentication of industry evolution.Specifically,
Use the first dynamic device checking to share the key identification id that distributed by equipment application relation service for checking credentials end of code encryption and obtain the
One ciphertext, uses the second dynamic device checking to share code encryption the first ciphertext gained information and shares as the first dynamic key identification
Code;And this key identification id, the first dynamic key identification are shared code, code is shared in the first dynamic device checking and second dynamic
Code binding corresponding relation is shared in device authentication.In the case of key identification id is constant, the first dynamic key identification share code with
The first dynamic device checking to share code and the conversion of the shared code of the second dynamic device checking and change.Individual secure unit is noted
Code is shared in first dynamic device checking of volume and the checking of the second dynamic device is shared code and can only be made by equipment application relation client
With;Other programs being not allowed to are to use the key in individual secure unit to calculate, encrypt, verify.
Test as it is shown in figure 5, step S28 equipment application relation service for checking credentials end sends band the first dynamic device to user terminal
Card is shared the dynamic device of code registration code ID and the shared code registration code ID of the second dynamic device checking and is shared code checking message.Specifically
Ground, the first dynamic device checking shared code registration ID, the second dynamic device checking are shared by equipment application relation authentication server
Code registration ID, random number salt figure composition dynamic device shares the code checking sub-message body of message;Use the first dynamic device checking altogether
Enjoy code and the checking of the second dynamic device share code be key be dynamic device share the code checking sub-message body of message calculate produce dynamic
State collaborative share code checking message sub-message body voucher;Dynamic device is shared the code checking sub-message body of message and dynamic device is total to
Enjoy code checking message sub-message body voucher composition dynamic device and share the code checking main message body of message;Equipment application relation checking clothes
Business device uses private key that dynamic device is shared code checking message main message body signature, and acquired results is signature Sig;Equipment application is closed
It is that dynamic device is shared the code checking main message body of message by authentication server and dynamic device shares code checking information signature Sig group
The dynamic device become is shared code checking message and is sent to equipment application relation client.
In enforcement, it is cipher key calculation using the first shared code of dynamic device checking and the checking of the second dynamic device to share code
Can use the method calculating message authentication code during voucher, algorithm includes but not limited to use one-way hash function to realize
HMAC, or use message authentication code etc. method or the algorithm that the block cipher of DES, AES etc realizes.Preferably use unidirectional
The HMAC that hash function realizes calculates message authentication code, and it is at commercial computing platforms, and especially intelligent movable platform is compatible
Relatively strong, HMAC level of security is unanimously approved in commercial network, it is easy to marketing.
The equipment application relation client of user terminal uses equipment application relation authentication server public key verifications signature
Sig;As being verified, then enter step, otherwise discard processing.Concrete proof procedure is as follows: equipment application relation client
End extracts dynamic device and shares the code checking sub-message body of message;Call individual secure unit interface and calculate sub-message body voucher;Solely
Vertical safe unit uses the first dynamic device checking being stored in user terminal to share code and code is shared in the checking of the second dynamic device
Calculate dynamic device and share code checking message sub-message body voucher;Individual secure unit returns result to equipment application relation visitor
Family end;The dynamic device that equipment application relation client compares result of calculation and message includes shares the code checking sub-message of message
Body voucher;If consistent, continue follow-up equipment register flow path, otherwise reply error message to the equipment application relation service for checking credentials
Device.
After being verified, the authentication method of the message voucher of subsequent communications is based on following two mode:
Method one: share code based on the first dynamic device checking and the checking of the second dynamic device is shared yardage and calculated message authentication
The method of code voucher realizes;Use during enforcement first dynamic device checking share code be key be calculate calculation and object message authentication
Code MAC value, re-uses second shared this MAC value of code encryption of dynamic device checking and obtains the corresponding MAC value ciphertext calculating object, will
This MAC value ciphertext is as message body voucher or sub-message body voucher.Method two: increase equipment application on the basis of mode one
The signature of relation service for checking credentials end private key, message body during enforcement, method one produced and message body voucher zoarium Information Signature.
Using method one can save the step of computing and signature verification.
Dynamically set as it is shown in figure 5, user terminal shares code and second according to the first dynamic device checking at user terminal
Standby checking is shared code and is generated facility registration voucher.Specifically, in step S29, equipment application relation client sends calculating equipment note
Volume message body authentication code ciphertext is asked in individual secure unit;Step S210, individual secure unit uses preserve first to move
Code is shared in state device authentication and the checking of the second dynamic device is shared yardage and calculated facility registration message body voucher;Step S211 returns and disappears
Breath body voucher, returns using this to result as facility registration voucher.Step S29, S210, S211 preferably computing place is independent peace
Full unit.
Equipment application relation client produces facility registration message, uses the client-side information that user allows, such as time
Stamp computer equipment model or brand etc. are not limited to this one or more information, and code registration is shared in the first dynamic device checking
Code registration ID, random number salt figure synthetically produced message body C are shared in ID, the second dynamic device checking.The first dynamic device is used to test
Card shares code and the checking of the second dynamic device is shared yardage and calculated the voucher of message body C.
Part plaintext in use equipment application relation authentication server encrypted public key encrypted message body, such as random number salt figure
Obtain random number salt figure ciphertext.This ciphertext is replaced the corresponding plaintext in message C, forms final message body C1, by message body
The voucher component devices registration message of C1 and message body C.Equipment application relation client sends facility registration message should to equipment
Use relation authentication server.
Use the second dynamic device checking to share after code, even if hacker captures this message, substantially increase Brute Force the
Code and the threshold of the shared code of the second dynamic device checking are shared in one dynamic device checking;All of follow-up mutual in all employ
This method improves safe class.As it is shown in figure 5, user terminal message body voucher that S211 is returned as facility registration with
Card, user terminal sends the facility registration message of Portable device registration voucher to equipment application relation service for checking credentials end.Specifically,
Step S212 facility registration message, it is preferred that provide the client-side information of user's license to be used for describing registration equipment, such as, register
Time, device type and description, position etc..
As it is shown in figure 5, equipment application relation service for checking credentials end according to first dynamic device checking share code registration code ID and
The first dynamic device that second dynamic device checking shares code registration code ID lookup equipment application relation service for checking credentials end corresponding is tested
Card shares code, code verification device registers message is shared in the second dynamic device checking.Specifically, step S213 sends and includes that first moves
State key identification is shared the facility registration of code and is confirmed message, to subscriber terminal equipment application relation client.Specifically, equipment should
Code registration ID is shared in the equipment application relation service for checking credentials according to the first dynamic device checking in message with relation authentication server
Code is shared in the first dynamic device checking searching correspondence in device, uses the second dynamic device checking to share code registration ID and searches correspondence
Second dynamic device checking share code.Equipment application relation authentication server uses decrypted private key to decipher the message body C1 received
In ciphertext, reduction message body in plain text;Use the first dynamic device checking to share code and code is shared in the checking of the second dynamic device
Calculating the voucher of message body C, the voucher that checking calculates is the most consistent with the voucher of the message body C sent in message;As result is led to
Crossing, be then judged as facility registration success, the first dynamic device checking is shared code and second by equipment application relation authentication server
Dynamic device checking shares code labeling for succeeding in registration.
Facility registration confirms that message includes that facility registration confirms that the message body of message and facility registration confirm message body voucher;
Wherein facility registration confirms that the message body of message at least includes that code registration ID, the second dynamic device are shared in the first dynamic device checking
Code, random number are shared in checking shared code registration ID, registering result, the first dynamic key identification.Use the first dynamic device checking
Share code and the shared code of the second dynamic device checking is that cipher key calculation facility registration confirms message body voucher.Equipment application relation is tested
Facility registration is confirmed message by card server, is sent to equipment application relation client.
Beneficial effect, dynamic device is shared code checking message and is judged that message is from believable equipment by main message body signature
Application relation authentication server, is used for producing by sub-message body credential verification down direction equipment application relation authentication server
Code is shared in first dynamic device checking of voucher and the right of code and equipment application relation client is shared in the checking of the second dynamic device
It is consistent for answering key;Facility registration message uses random number salt figure by server public key cryptography encrypted transmission, only has private
The server of key just can calculate the voucher of correct clear-text message body, it is ensured that the concordance of up direction, thus detecting and
Prevent and producing go-between possible during code and the shared code of the second dynamic device checking are shared in the first dynamic device checking
Attack and integrity violations.
As it is shown in figure 5, equipment application relation service for checking credentials end is to user terminal feedback device accreditation verification result.Specifically
Ground, the first dynamic key identification being verified is shared code and is saved in the safety storage that individual secure unit provides by step S214
District;Confirm that code is shared in the first dynamic device checking and the checking of the second dynamic device is shared code and succeeded in registration simultaneously;It can be application
Client provides service state.
Equipment application relation client uses the first dynamic device checking to share code and code is shared in the checking of the second dynamic device
Checking message body voucher;As being verified, equipment application relation client requirements individual secure unit preserves dynamic key identification
Share code, then facility registration success flow process complete;Otherwise report mistake also terminates flow process.
As shown in Figure 6, in embodiments of the present invention, the application of user terminal and account and equipment application relation client are set up
Hold the application between equipment application relation service for checking credentials end and account and equipment secure registration relation, in the application of user terminal
When client is logged in by the checking of equipment application relation service for checking credentials end, provide to equipment application relation service for checking credentials end further
Application and account and equipment secure registration relation certification.Specifically, the applications client in user terminal is to equipment application relation
Service for checking credentials end sends authorization request message, and sets up application and account and equipment secure registration according to equipment secure registration relation
Relation includes: the authorization request message that application provides service end to receive user terminal processes, and sends to equipment application relation and test
Card service end;Equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to authorization request message and sends to application
Service end is provided;Application provides service end sequentially to send dynamic authorization code ciphertext and stochastic generation number to user terminal;User is eventually
Hold and generate the authorization response message of band authorized certificate according to dynamic authorization code ciphertext and stochastic generation number and send to applying offer
Service end, authorization response message includes dynamic authorization code ciphertext and stochastic generation number;Application provides service end to receive user eventually
The authorization response message of end processes, and sends to equipment application relation service for checking credentials end;Equipment application relation service for checking credentials end root
After equipment secure registration relation checking authorization response message, then verify dynamic authorization code ciphertext and provide service end by application
Result is confirmed to user terminal feedback application.
When being embodied as, if Fig. 7 is to set up application and account and equipment secure registration relationship registration in the embodiment of the present invention
Flow chart;User terminal initiates application and account and equipment peace to equipment application relation service for checking credentials end in embodiments of the present invention
During full registration relationship registration, user terminal and application provide server device application relation service for checking credentials end to set up session connection.
Mail and account and equipment secure registration relationship registration is initiated to equipment application relation service for checking credentials end below with user terminal
To making to set up between user terminal and the equipment application relation service for checking credentials end application and account and equipment secure registration as a example by flow process
Illustrating of relation.
As it is shown in fig. 7, the application authorization request message that application provides service end to receive user terminal processes, and send to setting
Standby application relation service for checking credentials end.Specifically, applications client is e-mail applications client, and application provides service end to be electricity
Sub-mail applications provides server.E-mail applications client is mutual with equipment application relation client.Step S31 is to step
S32 is applied authorization request message body voucher with the application authorization request message body submitted to for calculating calculation and object, and equipment should
The message body voucher computational methods completing request with relation client references step S29 in Figure 5, S210 and S211 calculate application
Authorization request message body voucher also returns to equipment application relation client, and equipment application relation client will apply authorization requests
Message body voucher returns to e-mail applications client by S32, and this is applied authorization requests by e-mail applications client
Message body voucher is included in S33 authorization request message and sends.When being embodied as, step S33 and S35 authorization request message are believed
Breath includes but not limited to apply ID, ID, the first dynamic key identification to share code, apply the time limit authorized, application to supplement
Authorization message.As write, log in action, etc..Wherein, code is shared in the first dynamic key identification is by equipment application relation client
End API inquiry obtains.When being embodied as, S34 step can be determined information and the option of inspection by application.
Applications client obtains dynamic key identification by the API that equipment application relation client provides and shares code, application
Client will include but not limited to Apply Names or numbering, application ID, authorized content, service provider information, it is desirable to
The authorization code mode of intelligence transmission, code composition authorization request message body is shared in the first dynamic key identification;Wherein authorization code information passes
The mode of passing includes but not limited to by radio communication, limited fixed network communication, note, Quick Response Code, Email etc..Application
Client call equipment application relation client end AP I calculates the voucher of authorization request message body;Applications client uses to authorize and asks
Ask message body and authorization request message body voucher component devices application authorization request message, send authorization request message and carry to application
For server.
Application provides server to do mandate conjunction rule and checks, as passed through, then requires that equipment application relation authentication server is verified
Authorize, forward authorization request message to equipment application relation authentication server.
As it is shown in fig. 7, equipment application relation service for checking credentials end generates according to application authorization request message carries dynamic authorization
The authorization code information and sending of code ciphertext provides service end to application.Equipment application relation service for checking credentials end authorizes according to application please
Ask message to generate dynamic authorization code to include: generate dynamic authorization code according to authorization request message;Wrap according in authorization request message
The authorization code mode of intelligence transmission included generates the authorization code key of corresponding types;To dynamic authorization code encryption;By dynamic authorization code
Ciphertext and the first dynamic key identification are shared the authorization code message of code composition and are sent to application offer service end.
Specifically, equipment application relation service for checking credentials end generates dynamic authorization code ciphertext bag according to application authorization request message
Include: generate dynamic authorization code according to authorization request message;Dynamic authorization key is generated according to authorization request message;Use and dynamically award
Power double secret key dynamic authorization code encryption;To include that dynamic authorization code ciphertext and the first dynamic key identification are shared the authorization code of code and disappeared
Breath sends to application offer service end.Equipment application relation authentication server is according to the dynamic key identification in authorization request message
Share code, confirm that the equipment sending this authorization request message is the equipment succeeded in registration, and verify in equipment application relation
Code and the shared code of the second dynamic device checking are shared in the first dynamic device checking searching correspondence in server;Use first dynamic
Device authentication is shared code and uses the second dynamic device checking to share code checking authorization request message body voucher;Such as the mandate calculated
The message body voucher that request message body voucher includes with authorization request message is equal, authorization message transmission side the most as requested
Formula is the authorization code key that dynamic key identification shares that code division pairing is answered;Produce dynamic authorization code, use authorization code double secret key to move
The encryption of state authorization code produces dynamic authorization code ciphertext M.
Specifically, the dynamic authorization code that step S36 produces is used for the scope of authority in the current authorization requests of labelling and mandate
Relation;The authorization code message length of dynamic authorization code is determined by the transfer mode of dynamic authorization code.The transmission side of dynamic authorization code
Formula includes but not limited to note, Quick Response Code, Email, phone, video, QQ, wechat etc..As used note to be information transmission
Mode, then use shorter key.As used the mode of Quick Response Code or Email, then can transmit longer information, can
To use AES256 algorithm for encryption.Authorization code message is issued e-mail applications and is provided service end by step S39.It is embodied as
Time, send authorization code message and provide service end to application, have the pact of service between service end owing to terminal client and application provide
Fixed, it is advantageous to, application provides service end to be the more optimal way that authorization code ciphertext sends.
In embodiments of the present invention, use and share the authorization code key encryption authorization that code is the most corresponding with dynamic key identification
Code so that authorize and only current dynamic key identification is shared device authorization corresponding to code effectively, thus prevent authorization code to be emitted
Infringement.Equipment application relation authentication server is by authorization code ciphertext M, and dynamic key identification is shared code composition authorization code and disappeared
Breath, is sent to application and provides server.
As it is shown in fig. 7, application provides service end sequentially to send dynamic authorization code and stochastic generation number to user terminal.Specifically
Ground, application provides service end to send dynamic authorization code to user terminal.Application provides server answering according to present application mandate
The authorization code transfer mode selected by account and contact method transmission authorization code ciphertext M are to user;Application provides server to answering
Challenge random number N is sent for the current act of authorization of labelling by client.Step S311 input authorization code information, including but do not limit
In screen UI input, the defeated scanning of photographic head, image recognition, copy stickup etc. from Mail Contents.Step S312 sends random raw
Becoming number is that e-mail applications provides service end for managing the labelling of this sub-authorization, is also used for challenging client credentials simultaneously,
Client credentials is i.e. authorization response voucher.E-mail applications client use step S313 and S314 obtain authorization response with
Card.
As it is shown in fig. 7, user terminal is according to the dynamic authorization code inputted and the challenge generating random number band mandate received
Authorization response message the transmission of response voucher provide service end to application, and authorization response message includes stochastic generation number and moves
State authorization code ciphertext.Specifically, step S315 authorization response message is sent to e-mail applications and provides service end.Step S316
E-mail applications provides service end record flow state and forwards message;Step S317 forwards authorization response message to answer to equipment
With relation service for checking credentials end.
Specifically, applications client according to receive authorization code ciphertext M, client use receive challenge random number N, the time
Stamp, authorization code cipher-text information M and the first dynamic key identification are shared code and are constituted authorization response message body Q, call equipment application and close
It it is client end AP I;Message body Q is calculated authorization response as parameter call safe unit and disappears by equipment application relation client
Breath body voucher, using this authorization response message body voucher as authorizing corresponding voucher to return to answer by equipment application relation client
Use client;Applications client uses the authorization response voucher composition authorization response message of message body Q and corresponding message body Q, will
This message sends to application offer server;Application provides server inspection to adjust random number and forwards authorization response message the most afterwards
To equipment application relation service for checking credentials end.
As it is shown in fig. 7, equipment application relation service for checking credentials end verifies authorization response message according to equipment secure registration relation
After, then verify authorization code ciphertext and provide service end to confirm that result includes to user terminal feedback application by application: use and set
Whether the authorized certificate in standby secure registration relation checking message mates;Then awarding of equipment secure registration relation service end is used
Weighted code secret key decryption authorization code ciphertext, the authorization code that the authorization code after checking deciphering distributes with equipment application relation service for checking credentials end
Whether mate;If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate
Add in equipment list of application with device relationships.Specifically, step S318 equipment application relation service for checking credentials end first by
The first dynamic device at equipment application relation service for checking credentials end that the first dynamic key identification in message shares code corresponding is tested
Card shares code and the checking of the second dynamic device is shared code and verified whether the authorization response voucher in message mates;I.e. compare calculating institute
The voucher of the message body Q sent in the voucher of the authorization response message body Q obtained and authorization response message body compares the most equal;As
The most equal, then corresponding the moving of code is shared in dynamic authorization code whether with the first dynamic key identification of checking authorization code secret key decryption
State authorization code is the most consistent;If all passing through coupling, by e-mail applications corresponding for this dynamic authorization code, ID, mandate
Service operations and mandate time and device relationships add in safety equipment list of application.Step S319 equipment application relation is tested
Card service end sends authorization notification message informing e-mail applications provides service end authorization flow to terminate.
Specifically, application provides server inspection dynamic key identification to record authorization flow after sharing code and challenge random number
State, forwards authorization response message to equipment application relation authentication server.Equipment application relation authentication server is according to mandate
In response message, the first dynamic key identification is shared code and is searched the first dynamic device checking and share code, and the second dynamic device checking is altogether
Enjoy code and share code and authorization code key.Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage and calculated
Authorized response message body voucher;The authorization response message body voucher sent in message and the authorization response calculating gained are disappeared
Breath body voucher compares;Then continue checking authorization code as equal, otherwise stop licensing process.Equipment application relation authentication server makes
By authorization code ciphertext M in corresponding authorization code secret key decryption message, with this with equipment application relation authentication server it is in plain text
The authorization code of this sub-authorization distribution record in plain text compares, if unanimously, then this mandate project that authorization code is corresponding in plain text is just criticized
Accurate and record and share in the equipment list item that code is corresponding in this first dynamic key identification;Send authorization notification message to answering simultaneously
With providing server;If it is inconsistent, relevant failure information is included in authorization notification message notice application provide service
Device.
Step S320 e-mail applications provides service end to forward the Email of authorization notification message informing user terminal
Applications client.Equipment application relation client receives authorization notification message, after checking message body voucher passes through, terminates to authorize stream
Journey.Step S321 equipment application relation client uses the checking of equipment the first dynamic device to share code and the checking of the second dynamic device
Share code checking authorization notification message;Set successfully authorizing application message to be saved according to result e-mail applications client
Standby application relation client;Application message e.g. email account, mail service business, mail service is authorized to describe information
Deng.
Specifically, authorization notification message is made up of the challenge random number in authorization response message and judged result;Application carries
According to the behavior of authorization notification message generation application correspondence and notify that result is to applications client for server;Equipment application relation
Client receives authorization notification message, and application and account terminate with the licensing process of equipment secure registration relation.
As shown in Figure 8, the user terminal through facility registration and application and account authorization certification provides service end to application
Initiate log on request and through equipment application relation service for checking credentials end perform safety certification detailed process be such that user end
Hold and provide service end to send log on request message to application;Application provides service end to send to user terminal and requires that equipment application is tested
Card message;User terminal provides service end to send equipment application access credentials message to application;Application provides service end to process also
Equipment application access credentials message is sent to equipment application relation service for checking credentials end;Equipment application relation service for checking credentials end is according to answering
With and account and equipment secure registration relation to equipment application access credentials information authentication, and provide service end transmission to set to application
Standby application verification results messages;The application safety that application provides service end to include according to equipment application verification results messages accesses
The log on request message of authentication result response user terminal.The safety certifying method provided by the embodiment of the present invention can be automatic
Change execution application and account access request is verified with device relationships, save user and be manually entered the step of identifying code.Below with
Corporate intranet code access security login authentication process is that the embodiment of the present invention is illustrated by preference.
As it is shown in figure 9, user terminal provides service end to send application log on request message to application.Applications client is initiated
Access request provides server, application to provide server to judge to need equipment application relation certification, application to provide service to application
Device sends to user terminal and requires equipment application verification message, and wherein message includes that Dialog processing ID verifies specifically for labelling
Session.Specifically, such as, code access client initiates application login request message to code service end.
As it is shown in figure 9, application provides service end to send to user terminal requires equipment application verification message.Specifically, step
Rapid S42 code service end sends and requires that the applications client of equipment application verification message calls user terminal performs equipment and tests safely
Card.
As it is shown in figure 9, user terminal provides service end to send equipment application access credentials message to application.Specifically, step
Rapid S43 calls equipment application relation client end AP I, calculates equipment application access credentials message body voucher;Step S44 uses independent
The voucher that safe unit calculates returns to code access applications client by equipment application relation client;Step S45 code
Access client sends equipment application access credentials message to code service end.
Specifically, applications client receives after requiring equipment application verification message, and client application calls equipment should
By relation client end AP I, submit to and include that code, Dialog processing ID, timestamp, application name, application are shared in the first dynamic key identification
Equipment application access credentials message body of the information such as service provider's information and user name, equipment application relation client is current request
Generation equipment application access credentials message.Equipment application access credentials message by message body and encryption after equipment application access with
Card message body voucher composition;Wherein message body include but not limited to Apply Names, application account, application side information, random number,
Code is shared in timestamp, Dialog processing ID, the first dynamic key identification.Applications client calls equipment application relation client end AP I
Calculating equipment application access credentials message body voucher;Safe unit returns voucher;Equipment application relation client will include equipment
The equipment application access credentials message of application access credentials message body and equipment application access credentials message body voucher issues application
Client;Applications client sends equipment application access credentials message and provides server to application.
Visit as it is shown in figure 9, application provides service end to process and sends equipment application to equipment application relation service for checking credentials end
Ask credential message.Specifically, step S46 code service end authorization check is the response of current access request, checks Dialog processing
ID is the most effective;This equipment application access credentials message is forwarded to the checking of equipment application relation after checking and takes by step S47
Business end.After application provides server to receive equipment application access credentials message, after checking that Dialog processing ID is effectively, message is sent
To equipment application relation authentication server.
As it is shown in figure 9, equipment application relation service for checking credentials end according to application and account with equipment secure registration relation to setting
Standby application access credentials information authentication, and provide service end to send equipment application verification results messages to application;Application provides clothes
Business end logs according to the application of the application safety access registrar result response user terminal that equipment application verification results messages includes
Request message.In step S48 equipment application relation service for checking credentials end use equipment application access credentials message first is the closeest
Key identification is shared code and is searched corresponding first dynamic device checking at equipment application relation service for checking credentials end and share code and the
Two dynamic device checkings are shared yardage and are calculated equipment application access credentials message body validating documents;Equipment application in checking message is visited
Ask that credential message body voucher is the most consistent with the validating documents result calculated.If consistent, then continue checking for equipment list of application
Whether include the account of request in message to authorize and authorization with code application, thus produce current application and the visit of account
Ask whether from the judged result of the user terminal authorized.Equipment application verification results messages is sent to code clothes by step S49
Business end, code verification service end determines to authorize the service of current request according to the result of instruction in message.
Specifically, equipment application relation authentication server receives equipment application access credentials message, and use first is the closeest
Key identification is shared code and is searched the first dynamic device checking in application relation authentication server and share code and the second dynamic device and test
Card shares code.Use first dynamic device checking share code and the second dynamic device checking share yardage calculate equipment application access with
The message body voucher of card message.Relatively calculate gained voucher the most consistent with the voucher sent in message.If result is consistent, then
Check whether corresponding equipment has the mandate of application, account or behavior further, thus obtain checking result.Generation equipment
Application verification results messages includes Dialog processing ID, judged result and result side information, sends this message and provides clothes to application
Business device;Wherein message content includes but not limited to that the information enumerated, application provide server to disappear according to equipment application verification result
Result and side information in breath determine the current service needing to provide accessed.
As shown in Figure 10, in embodiments of the present invention, in order to be further ensured that user terminal with application provide service end it
Between the safety of communication, need to arrange life cycle to equipment secure registration relation, need further at life cycle to after date
Update this equipment secure registration relation.Under specifically more new equipment secure registration relational process enters: user terminal closes with equipment application
It is that service for checking credentials end consults the 3rd shared code of dynamic device checking and code is shared in the checking of the 4th dynamic device, is respectively stored in user
Terminal and equipment application relation service for checking credentials end;Equipment application relation service for checking credentials end is according to equipment application relation service for checking credentials end
The 3rd dynamic device checking share code and the checking of the 4th dynamic device is shared code and generated the second dynamic key identification and share code;If
Standby application relation service for checking credentials end sends band the second dynamic key identification to user terminal and shares code and the first dynamic key identification
Share the requirement renewal of the equipment message of code;User terminal according to user terminal first dynamic device checking share code, second move
Code is shared in state device authentication, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device is tested
Card shares code and the second dynamic key identification is shared code and generated dynamic equipment upgrading message, and sends to the checking of equipment application relation
Service end;Dynamic equipment upgrading message includes that code and second is shared in user terminal more new registration voucher, the first dynamic key identification
Code is shared in dynamic key identification;Equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end
Code is shared in device authentication, code is shared in the second dynamic device checking, code is shared in the first dynamic key identification, the 3rd dynamic device checking
Share code, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification;If
Standby application relation service for checking credentials end shares code, the 4th dynamic according to the 3rd dynamic device checking of equipment application relation service for checking credentials end
Code is shared in state device authentication, code is shared in the second dynamic key identification, code is shared in the first dynamic device checking, the second dynamic device is tested
Card shares code and the first dynamic key identification is shared code and generated renewal of the equipment confirmation message;Equipment application relation service for checking credentials end to
User terminal feedback device updates accreditation verification result.
As shown in figure 11, in the embodiment of the present invention, the process sharing code renewal is sent out for maintainability and automatic system side
The renewal risen, i.e. is initiated to update by equipment application relation service for checking credentials end: equipment application relation service for checking credentials end is each registration
Code is shared in successful first dynamic device checking and the checking of the second dynamic device is shared code and set life cycle;When life cycle consumes
Starting to the greatest extent the first dynamic device checking before and share code, code is shared in the second dynamic device checking and code is shared in dynamic key identification
Renewal process;It is also preferred that the left initiate from equipment application relation service for checking credentials side to share the process of code renewal in order to ensure that system exists
Detect attack, have the safety of stalwartness.
As shown in figure 11, user terminal and equipment application relation service for checking credentials end consult the 3rd shared code of dynamic device checking
Share code with the 4th dynamic device checking, be respectively stored in user terminal and equipment application relation service for checking credentials end.Step S71 sets
Standby application relation service for checking credentials end and equipment application relation client produce the 3rd dynamic device checking and share code;Step S72 is noted
Volume the 3rd dynamic device checking shares code to individual secure unit;Identical with step S71, step S73 produces the 4th dynamic device
Code is shared in checking;Registration the 4th dynamic device checking of step S74 shares code to individual secure unit.
As shown in figure 11, equipment application relation service for checking credentials end is dynamic according to the 3rd of equipment application relation service for checking credentials end
Code is shared in device authentication and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code.Specifically, step
S75 equipment application relation service for checking credentials end uses the 3rd new dynamic device checking to share code and the checking of the 4th dynamic device is shared
Yardage calculates the second dynamic key identification and shares code.
As shown in figure 11, equipment application relation service for checking credentials end sends to user terminal and carries the second dynamic key identification to share
The requirement renewal of the equipment message of code.Specifically, step S76 equipment application relation service for checking credentials end use by service end random number U,
Code is shared in first dynamic key identification, the message body of code composition requirement renewal of the equipment message is shared in the second dynamic key identification, uses
Equipment application relation service for checking credentials end private key is the requirement renewal of the equipment of the signature composition of the message body of requirement renewal of the equipment message
Message is sent to equipment application relation client.
Specifically, equipment application relation authentication server produces and requires renewal of the equipment message, at least includes that server is random
Counting U, code is shared in current first dynamic key identification, and the message body of code composition is shared in the second dynamic key identification, and should with equipment
With relation authentication server private key, the signature of message body is formed;Equipment application relation authentication server would be required to renewal of the equipment and disappears
Breath is sent to equipment application relation client.
As shown in figure 11, user terminal shares code, the second dynamic device according to the first dynamic device checking of user terminal
Code is shared in checking, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared
Code and the second dynamic key identification are shared code and are generated dynamic equipment upgrading message, and send to the equipment application relation service for checking credentials
End.Specifically, equipment application relation client uses preset equipment application relation service for checking credentials end public key verifications to require equipment
The signature of more new information.Dynamic device is set up with new information: user terminal more new registration voucher by step S77 and step S78
Including dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading disappears
Ceasing sub-message body voucher is that user terminal shares code according to the 3rd dynamic device checking of user terminal and the 4th dynamic device is tested
It is calculated that card shares code;Dynamic equipment upgrading message main message body voucher is that user terminal moves according to the first of user terminal
Code is shared in state device authentication and the shared code of the second dynamic device checking is calculated.Step S77 equipment application relation client
Using, code, the second dynamic key knowledge are shared in service end random number U, timestamp, sub-message random number, the first dynamic key identification
Do not share the code composition message body of dynamic equipment upgrading message.The 3rd dynamic device checking is used to share code and the 4th dynamic device
Checking is shared yardage and is calculated dynamic equipment upgrading message sub-message body voucher.The sub-message body of step S78 dynamic equipment upgrading message, dynamic
State renewal of the equipment message sub-message body voucher and the main message random number component devices main message body of more new information, use current first
Code is shared in dynamic device checking and current second dynamic device checking is shared yardage and calculated renewal of the equipment message main message body voucher;Step
Rapid S79 equipment application relation client produces dynamic equipment upgrading message, by the main message body of dynamic equipment upgrading message with dynamic
Renewal of the equipment message main message body voucher composition dynamic equipment upgrading message, is sent to equipment application relation service for checking credentials end.
Specifically, equipment application relation client uses equipment application relation authentication server public key verifications to require equipment more
The signature of new information;If by continuing following renewal process, otherwise abandoned.Equipment application relation client produces dynamic device
With new information, server random number U, timestamp, sub-message random number, the first dynamic key identification is used to share code, second move
The code composition message body of dynamic equipment upgrading message is shared in state key identification.The 3rd dynamic device checking is used to share code and the 4th
Dynamic device checking is shared yardage and is calculated dynamic equipment upgrading message sub-message body voucher.By sub-for dynamic equipment upgrading message message
Body, dynamic equipment upgrading message sub-message body voucher and the main message random number composition main message body of dynamic equipment upgrading message, make
Share code with the first dynamic device checking and the checking of the second dynamic device is shared yardage and calculated the main message body of dynamic equipment upgrading message
Voucher;Dynamic equipment upgrading is formed by the main message body of dynamic equipment upgrading message and dynamic equipment upgrading message main message body voucher
Message, is sent to equipment application relation authentication server.
As shown in figure 11, equipment application relation service for checking credentials end is dynamic according to the first of equipment application relation service for checking credentials end
Code is shared in device authentication, code is shared in the second dynamic device checking, code is shared in the first dynamic key identification, the 3rd dynamic device checking
Share code, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification.Step
Rapid S710 uses the first dynamic key identification to share the first shared code of dynamic device checking corresponding to code and the second dynamic device is tested
Card is shared yardage and is calculated dynamic equipment upgrading message main message body voucher, compares the most consistent with the corresponding voucher sent in message.
Code and the 4th dynamic device are shared in the 3rd dynamic device checking that step S711 uses the second dynamic key identification to share code corresponding
Checking is shared code checking and is calculated gained dynamic equipment upgrading message sub-message body voucher, if with the dynamic device comprised in message
More new information message voucher is consistent.If unanimously continuing procedure below, otherwise abandon;This checking shows that sender of the message holds
Code is shared in first dynamic key identification and code is shared in the second dynamic key identification.
Specifically, equipment application relation service for checking credentials end receives dynamic equipment upgrading message, uses current dynamic key
Identify that current first dynamic device that shared code is corresponding verifies that shared code and current second dynamic device checking are shared yardage calculation and moved
The message body voucher of state renewal of the equipment message, compares the most consistent with the dynamic equipment upgrading message main message body voucher sent;
If unanimously continuing procedure below, otherwise abandon.Share code with the 3rd dynamic key identification and the 4th dynamic key identification is shared
The dynamic equipment upgrading message sent in dynamic equipment upgrading message sub-message body voucher, with dynamic equipment upgrading message calculated by yardage
If sub-message body voucher compares unanimously, the newest shared code succeeds in registration, and otherwise abandons.
Step S712 equipment application relation service for checking credentials end use random number, the second dynamic key identification share code, second
Dynamic key identification is shared code character forming apparatus and is updated and confirm the sub-message body of message, uses the first dynamic device checking to share code and the
Two dynamic device checkings are shared yardage and are calculated renewal of the equipment confirmation message sub-message body voucher.
Step S713 equipment application relation service for checking credentials end uses renewal of the equipment to confirm, and the sub-message body of message, renewal of the equipment are true
Recognize message sub-message body voucher and the main random number component devices that disappears updates and confirms the main message body of message, use the 3rd dynamic device to test
Card shares code and the checking of the 4th dynamic device is shared yardage calculation renewal of the equipment and confirmed main message body voucher.
As shown in figure 11, equipment application relation service for checking credentials end updates accreditation verification result bag to user terminal feedback device
Include: equipment application relation service for checking credentials end updates to user terminal feedback device and confirms message;User terminal is according to user terminal
The second dynamic key identification share code corresponding the 3rd dynamic device checking share code and the 4th dynamic device checking share code
Calculate renewal of the equipment and confirm the main message body voucher of message, and it is corresponding to share code according to the first dynamic key identification of user terminal
First dynamic device checking share code and the second dynamic device checking share yardage calculate renewal of the equipment confirm message sub-message
Body voucher, by calculate live message body voucher and sub-message body voucher with in message transmission corresponding live message body voucher and son
Message body voucher compares checking;As checking is all passed through, then the 3rd dynamic device checking of user terminal is shared code by user terminal,
Code is shared in 4th dynamic device checking and the second corresponding dynamic key identification is shared code and is set as the state of succeeding in registration;User is eventually
End preserves the second dynamic key identification and shares code;User terminal sends to equipment application relation service for checking credentials end and carries use user
Code is shared in 3rd dynamic device checking of terminal and the facility registration voucher and second that code produces is shared in the checking of the 4th dynamic device
Decoding apparatus more new registration message is shared in dynamic key identification;Equipment application relation service for checking credentials end is verified according to equipment application relation
Code is shared in 3rd dynamic device checking of service end, code is shared in the 4th dynamic device checking and code is shared in the second dynamic key identification
Checking renewal of the equipment registration message;Equipment application relation service for checking credentials end updates accreditation verification knot to user terminal feedback device
Really.Specifically, step S714 produces renewal of the equipment and confirms message, uses the 3rd dynamic device checking to share yardage and calculate main during enforcement
Message body and the checking of the 4th dynamic device are shared yardage and are calculated renewal of the equipment confirmation message main message body voucher, use renewal of the equipment true
Recognize message main message body voucher and renewal of the equipment confirms that message main message body component devices updates and confirms message.
Specifically, equipment application relation authentication server produces renewal of the equipment confirmation message.Renewal of the equipment confirms that message makes
Sharing code with sub-message random number, timestamp, the first dynamic key identification, the second dynamic key identification is shared code and is formed sub-message
Body, uses the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage calculation renewal of the equipment and confirmed that message disappears
Breath body voucher;Equipment application relation authentication server uses renewal of the equipment to confirm, and the sub-message body of message, renewal of the equipment confirm message
Sub-message body voucher and the main random number component devices that disappears update and confirm the main message body of message, use the 3rd dynamic device checking to share
Code and the checking of the 4th dynamic device are shared yardage calculation renewal of the equipment and are confirmed message main message body voucher.Renewal of the equipment is used to confirm to disappear
Cease main message body and renewal of the equipment confirms that message main message body voucher collectively constitutes renewal of the equipment and confirms message.Application apparatus relation
Authentication server sends renewal of the equipment and confirms that message is to equipment application relation client.
Step S714 application apparatus relation service for checking credentials end sends renewal of the equipment and confirms that message is to equipment application relation client
End.In being embodied as, it is the most correct that equipment application relation client checks that code is shared in the second dynamic key identification;Use correspondence
3rd dynamic device checking share code and the 4th dynamic device checking share yardage calculate renewal of the equipment confirm the main message body of message with
Card, confirms with renewal of the equipment that by it renewal of the equipment sent in message confirms that message main message body voucher compares;If it is consistent, then
Continue follow-up flow process, otherwise abandon;Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage and calculated
Renewal of the equipment confirms message sub-message body voucher, and itself and renewal of the equipment being confirmed, the renewal of the equipment sent in message confirms message
Message body voucher compares;As twice judgement is all passed through, then the 3rd dynamic device checking is shared code by equipment application relation client
Share code with the second dynamic device checking and be set as the state of succeeding in registration.
Step S715 equipment application relation client will share code, the 4th dynamic device checking with the 3rd dynamic device checking
Share code and the second dynamic key identification is shared code and is updated to the checking identification of current shared code and key, produce renewal of the equipment registration
Message.Equipment application relation client uses client random number, timestamp, the second dynamic key identification to share code, the 3rd move
Code is shared in state device authentication and the checking of the 4th dynamic device is shared code generation renewal of the equipment registration message and is sent to equipment application pass
It it is authentication server.
Second dynamic key identification is shared code and is updated to current key identification by step S716 equipment application relation client
Share code and be saved in individual secure unit.Equipment application relation service for checking credentials end verifies flow process according to renewal of the equipment registration message
After completing checking, code, the 4th dynamic device shared code of checking, second dynamic will be shared with the 3rd dynamic device checking in service end
Key identification is shared code and is shared code as current first dynamic key identification, and code, second dynamic is shared in the first dynamic device checking
Device authentication is shared code and is shared code for later checking.Step S717 equipment application relation service for checking credentials end sends equipment with newly
End is to equipment application relation client.This message confirmation equipment application relation service for checking credentials end and equipment application relation visitor
Family end is all switched to new shared code and originates as checking authority, and renewal process terminates.
Specifically, the second dynamic key identification that equipment application relation authentication server uses message to include is shared code and is looked into
Look for correspondence the 3rd dynamic device checking share code and the 4th dynamic device checking share code, calculate message body voucher and by its with
The equipment sent in message compares with new registration message body voucher, after being verified, the second dynamic key identification is shared code, right
Code is shared in the 3rd dynamic device checking answered and the shared code of the 4th dynamic device checking is updated to current authentication and shares code;Transmission sets
The standby end that updates is to equipment application relation client.Renewal of the equipment end includes that current first dynamic key identification is altogether
Enjoy code, random number.Use the 3rd dynamic device checking to share code and the renewal of the equipment that yardage is calculated is shared in the checking of the 4th dynamic device
The message body voucher of end.Equipment application relation client receives renewal of the equipment end, checks current key identification
Share code, use the 3rd dynamic device checking to share code and the checking of the 4th dynamic device is shared yardage and calculated renewal of the equipment end
Body voucher, compares with the voucher sent in message, after being verified, and equipment application relation authentication server and equipment application relation
Client all completes to be switched to the 3rd dynamic device checking and shares code, and code and new second dynamic is shared in the 4th dynamic device checking
Key identification is shared code and is originated as checking authority, and renewal process terminates.
As shown in Fig. 3, Figure 12, producing flow process for the various Service Ticket of client message in the embodiment of the present invention is so
: the following generation process that message voucher in embodiments of the present invention is described as a example by a kind of message;Step S81 application client
Code is shared in first dynamic key identification of end acquisition request current device.Step S82 equipment application relation client is moved first
State key identification is shared code and is returned to applications client.Message body is such as included but not limited to be correlated with by step S83 applications client
Apply Names or ID, ID or user name, the COS of access, Dialog processing ID, the side information that application is specified, challenge
The message sequence of the composition such as random number submits to equipment application relation client, request to calculate message body voucher.Step S84 equipment should
By relation client, message body is submitted to individual secure unit.Step S85 individual secure unit uses equipment application relation visitor
The first dynamic device checking that family end is corresponding is shared yardage and is calculated message voucher.Step S86 individual secure unit uses corresponding the
Two dynamic device checkings are shared yardage and are calculated voucher.Voucher is returned to equipment application relation client by step S87 individual secure unit
End.Voucher is returned to applications client by step S88 equipment application relation client.
For embodying further the secure access authentication method that the embodiment of the present invention provides, superiority, the present invention is real
Execute example also provide for a kind of should user terminal in aforementioned manners.As shown in figure 13, this terminal includes: facility registration confirmation unit,
Equipment secure registration relation is set up for sending facility registration message to equipment application relation service for checking credentials end;Application license confirmation
Unit, for sending authorization request message to equipment application relation service for checking credentials end, and sets up according to equipment secure registration relation
Application and account and equipment secure registration relation;Safety certification request confirmation unit, for providing service end to setting by application
Standby application relation service for checking credentials end sends equipment application access credentials message;Equipment application access credentials message is that application provides clothes
The equipment application verification message that business end sends to log on request unit generates;Login unit, for providing service according to application
The application of end logs in response message response application log on request message, application log in response message be application provide service end according to
It is that equipment application relation service for checking credentials end generates after equipment application access credentials message authentication result.Real to the present invention below
The secure access certification user terminal executing example and offer launches detailed description.The safety certification user that the embodiment of the present invention provides
The operation principle of terminal is similar with above-mentioned safety certification with process, is referred to above-mentioned safety certifying method, the most no longer
Repeat one by one.
As shown in figure 14, facility registration unit, including: code negotiation element is shared in the first dynamic device checking, is used for and sets
Standby application relation service for checking credentials end consults the first shared code of dynamic device checking and the second dynamic device is verified and shared code, and respectively
It is stored in user terminal and equipment application relation service for checking credentials end;Facility registration request unit, for generating and applying to equipment
Relation service for checking credentials end sends the facility registration message of Portable device registration voucher;Facility registration message is according to being stored in user eventually
Code is shared in first dynamic device checking of end and the checking of the second dynamic device shares what code generated, and the first dynamic key identification is shared
Code is that equipment application relation service for checking credentials end shares code according to the first dynamic device checking of equipment application relation service for checking credentials end
Share code with the second dynamic device checking and generate what rear line terminal sent;Facility registration confirmation unit, is used for receiving equipment
The accreditation verification result verification of application relation service for checking credentials end also preserves, and accreditation verification result is the equipment application relation service for checking credentials
Hold the first dynamic device checking according to equipment application relation service for checking credentials end share code, the second dynamic device shared code of checking and
First dynamic key identification obtains after sharing code verification device registers message;It is institute that code is shared in described first dynamic key identification
State the described first dynamic device checking according to described equipment application relation service for checking credentials end of the equipment application relation service for checking credentials end
Share code and the checking of the second dynamic device shares what code generated.Facility registration message includes: facility registration voucher, hour of log-on,
Device type and description and device location.
As shown in figure 15, apply granted unit, including;Application authorization requests unit, is used for generating and being provided by application
Service end sends and sends authorization request message to equipment application relation service for checking credentials end;Application authorization response unit, is used for generating
And provide service end to send to equipment application relation service for checking credentials end transmission authorization response message by application;Authorization response message
Generate according to dynamic authorization code ciphertext and stochastic generation number, authorization response message band authorization response voucher;Dynamic authorization code
Ciphertext is to provide service end to send by application after equipment application relation service for checking credentials end generates according to application authorization request message
, stochastic generation number is that application provides service end to send after user terminal sends dynamic authorization code;Application license confirmation list
Unit, for receiving the application license confirmation result verification of equipment application relation service for checking credentials end and preserving, accreditation verification result is
Equipment application relation service for checking credentials end according to equipment application relation service for checking credentials end first dynamic device checking share code, second
After code checking authorization response message is shared in the shared code of dynamic device checking and the first dynamic key identification, then verify authorization code ciphertext
Obtain.
The log on request unit of secure access certification user terminal, also includes applying access credentials unit, sets for generation
Standby application access credentials message body;Calculating equipment application access credentials message body voucher;Generation includes equipment application access credentials
Message body and the equipment application access credentials message of equipment application access credentials message body voucher;Server is provided to send to application
Equipment application access credentials message.
As shown in figure 16, have secure access to certification user terminal, also include, facility registration updating block, including: second is dynamic
Code negotiation element is shared in device authentication, shares code for consulting the 3rd dynamic device checking with equipment application relation service for checking credentials end
Share code with the 4th dynamic device checking, and be respectively stored in user terminal and equipment application relation service for checking credentials end;Equipment is more
New registration request unit, for generating and sending the dynamic of Portable device more new registration voucher to equipment application relation service for checking credentials end
State renewal of the equipment message;Dynamic equipment upgrading message is dynamically to set according to being stored according to user terminal the first of user terminal
Code is shared in standby checking, the second dynamic device verifies that shared code, the first dynamic key identification share code, the 3rd dynamic device checking altogether
Enjoy code, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated, and the second dynamic key identification is altogether
Enjoying code is that equipment application relation service for checking credentials end is shared according to the 3rd dynamic device checking of equipment application relation service for checking credentials end
Code and the checking of the 4th dynamic device are shared code and are generated what rear line terminal sent;Renewal of the equipment accreditation verification unit, is used for connecing
The accreditation verification result verification of receiving unit application relation service for checking credentials end also preserves, and updating accreditation verification result is that equipment application is closed
It is that service for checking credentials end shares code according to the first dynamic device checking of equipment application relation service for checking credentials end, the second dynamic device is tested
Card shares code, code is shared in the first dynamic key identification, code is shared in the 3rd dynamic device checking, code is shared in the 4th dynamic device checking
Obtain after sharing code checking dynamic equipment upgrading message with the second dynamic key identification.Wherein, user terminal more new registration with
Demonstrate,prove and include dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading
Message sub-message body voucher is that user terminal shares code and the 4th dynamic device according to the 3rd dynamic device checking of user terminal
It is calculated that code is shared in checking;Dynamic equipment upgrading message main message body voucher is that user terminal is according to the first of user terminal
Code is shared in dynamic device checking and the shared code of the second dynamic device checking is calculated.
For embodying the superiority of the secure access authentication method that the embodiment of the present invention provides further, the present invention implements
Example also provide for a kind of should service end in aforementioned manners, as shown in figure 17, this equipment application relation service for checking credentials end, including: set
Remarks volume confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration relation;Application is awarded
Power confirmation unit, for receiving the authorization request message that user terminal sends, and sets up application according to equipment secure registration relation
And account and equipment secure registration relation;Safety certification request confirmation unit, provides service end to send for receiving by application
Equipment application verification request message;Equipment application access credentials message is that application provides service end to send to log on request unit
Equipment application verification request message generate;Secure access authenticate-acknowledge unit, receives equipment application access credentials message
The equipment application verification results messages generated after checking the application providing service end to send by application log in response message, use
Family terminal provides the response results response that logs in of service end to process according to application.The embodiment of the present invention provide application and account with
The operation principle that equipment secure registration relation checking application service end accesses is similar with above-mentioned safety certification with process, permissible
With reference to above-mentioned safety certifying method, repeat the most one by one.
As shown in figure 18, facility registration confirmation unit includes: first dynamic device checking share code negotiation element, for
User terminal is consulted the first dynamic device checking and is shared code and the shared code of the second dynamic device checking, and is respectively stored in user eventually
End and equipment application relation service for checking credentials end;Share code for described first dynamic device checking and the checking of the second dynamic device is shared
Code registration ID is shared in the described first dynamic device checking that code division pairing is answered and code registration ID is shared in the checking of the second dynamic device;The
Code signal generating unit is shared in one dynamic key identification, for the first dynamic device checking according to equipment application relation service for checking credentials end
Share code and the shared code of the second dynamic device checking generates and sends the first dynamic key identification to user terminal and shares code.Equipment
Accreditation verification unit, for receiving facility registration message that user terminal sends according to the of equipment application relation service for checking credentials end
Code is shared in one dynamic device checking, code is shared in the second dynamic device checking and code checking equipment note is shared in the first dynamic key identification
After volume message, and send facility registration confirmation result to user terminal;Facility registration message is according to being stored in user terminal
Code is shared in first dynamic device checking and the checking of the second dynamic device shares what code generated, and facility registration message Portable device is registered
Code registration ID is shared in voucher and described first dynamic device checking and code registration ID is shared in the checking of the second dynamic device.
As shown in figure 19, application license confirmation unit includes;Application authorization requests processing unit, is used for receiving user terminal
Send authorization request message and according to application authorization request message generate dynamic authorization code ciphertext by application provide service end
Send to user terminal;Application authorization response processing unit, receives the authorization response message that user terminal sends, and according to equipment
It is the closeest that code, the second shared code of dynamic device checking and first are shared in first dynamic device checking of application relation service for checking credentials end
After code checking authorization response message is shared in key identification, then after verifying dynamic authorization code ciphertext, generate authorization notification message and also pass through
Application provides service end to send to user terminal;Authorization response message is that user terminal is according to dynamic authorization code ciphertext and random life
Becoming number to generate, authorization response message band authorization response voucher, stochastic generation number is that application provides service end to send out to user terminal
Send after sending dynamic authorization code ciphertext.Specifically, equipment application relation service for checking credentials end is raw according to application authorization request message
Dynamic authorization code is become to include: to generate dynamic authorization code according to authorization request message;Dynamic authorization is generated according to authorization request message
Key;Use dynamic authorization code encryption described in described dynamic authorization double secret key;Dynamic authorization code ciphertext is sent to applying offer
Service end.Generate authorization notification message to include: use whether the authorized certificate in equipment secure registration relation checking message mates;
Then use the authorization code ciphertext of authorization code secret key decryption corresponding to equipment secure registration relation, the authorization code after checking deciphering with
Whether the authorization code of described equipment application relation service for checking credentials end distribution mates;If all passing through coupling, this authorization code is corresponding
Application, ID, the service operations of mandate and mandate time add in equipment list of application with device relationships.
Equipment application relation service for checking credentials end also described in log in response unit and also include, log on request authentication unit is used
In, use the first dynamic key identification to share code in application relation authentication server, search the first shared code of dynamic device checking
Code is shared with the second dynamic device checking;Use the first dynamic device checking to share code and yardage is shared in the checking of the second dynamic device
The message body voucher of calculation equipment application access credentials message;Whether the voucher that sends in gained voucher and message is calculated for comparing
Unanimously;If result is consistent, then check whether corresponding application and account and equipment secure registration relation have message further
The application of middle request and the mandate relation of account, thus obtain checking result.
As shown in figure 20, equipment application relation service for checking credentials end also includes, facility registration updates confirmation unit: second is dynamic
Code negotiation element is shared in device authentication, shares code and the 4th dynamic device for consulting the 3rd dynamic device checking with user terminal
Code is shared in checking, and is respectively stored in user terminal and equipment application relation service for checking credentials end;Second dynamic key identification is shared
Code signal generating unit, shares code and the 4th for the 3rd dynamic device checking according to equipment application relation service for checking credentials end and dynamically sets
The shared code of standby checking generates and sends the second dynamic key identification to user terminal shares code.Renewal of the equipment registration request confirmation form
Unit, for receiving dynamic device that user terminal sends with new information, and according to the first of equipment application relation service for checking credentials end
Code is shared in dynamic device checking, code is shared in the second dynamic device checking, code, the 3rd dynamic device are shared in the first dynamic key identification
Code is shared in checking, code is shared in the 4th dynamic device checking and code checking dynamic equipment upgrading message is shared in the second dynamic key identification
After obtain renewal of the equipment confirm message, and to user terminal send;Dynamic equipment upgrading message is according to being stored in user terminal
According to user terminal first dynamic device checking share code, second dynamic device checking share code, first dynamic key know
Do not share code, code is shared in the 3rd dynamic device checking, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared
Code generates;Dynamic equipment upgrading message Portable device more new registration voucher.Wherein, user terminal more new registration voucher includes moving
State renewal of the equipment message main message body voucher and dynamic equipment upgrading message sub-message body voucher: dynamic equipment upgrading message disappears
Breath body voucher is that user terminal shares code according to the 3rd dynamic device checking of user terminal and the checking of the 4th dynamic device is shared
Code is calculated;Dynamic equipment upgrading message main message body voucher is the user terminal the first dynamic device according to user terminal
Code is shared in checking and the shared code of the second dynamic device checking is calculated.
In force, when the present invention is embodied as, possesses equipment secure registration relation capacity extension ability;The present invention implements
Example is based on code is shared in the first dynamic device checking, and the method being shared code enhancing by the second dynamic device checking realizes testing
Card, analogy, can extend and use same method to produce the 5th shared code of dynamic device checking, the technology of whole invention and process
The lifting of equipment control number is obtained in the case of constant;When being embodied as, it is possible to use the 5th dynamic device shares code to by
Code is shared in one dynamic device checking and the side that the voucher that code is cipher key calculation generation is encrypted again is shared in the checking of the second dynamic device
Method extends;First dynamic key identification is shared the corresponding first dynamic device checking of code and is shared code, and the second dynamic device checking is shared
Code is shared in code and the checking of the 5th dynamic device.Above-described embodiment is only share code and second with the first dynamic device checking to move
State device authentication is shared code and has been done the illustration of correspondence as the presently preferred embodiments, it should be understood that this law invention not only limits
In this, other embodiments utilizing dynamic device checking to share code checking can also realize the present invention.The most such as, one is moved
Code is shared in state device authentication, code or five dynamic device shared codes of checking etc. are shared in three dynamic device checkings.Specific embodiment party
Case is essentially identical with above-described embodiment, is referred to the above embodiments and does corresponding adaptive change, does not remakes at this
Repeat one by one.
During enforcement, do not enable the second dynamic device checking and share code, and remaining technology, method, system and equipment are constant
In the case of the embodiment of the present invention still can dispose, can obtain automatically, safety and do not increase end in accessing proof procedure
The method and system of end subscriber operation complexity.In like manner in the case of increasing by the 5th shared code of dynamic device checking, its effect
Code is shared with the second dynamic device checking consistent with method.
When being embodied as, in the case of not enabling the second shared code function of dynamic device checking, anti-violence attacks threat
Ability can decline, such as the threat of birthday attack;The most single key length scope limits management equipment application relation number clients
The upper limit, it is possible to the number of devices of management greatly reduces, but for the enterprise-specific scene of some, such as client device
Few scene is enough;
When being embodied as, in the case of not using the second dynamic device checking to share code, the conversion caused during enforcement is such as
Under: in the embodiment of the present invention, the first dynamic key identification is shared the most corresponding first dynamic device checking of code and is shared code;By using the
One dynamic authentication shares code and the second dynamic authentication share yardage calculate and checking message body voucher to be transformed to only carry out first dynamic
Device authentication is shared the calculating of code-phase pass and compares;Dynamic device application relation client and equipment application relation authentication server
Do not manage and distribute and share, with the second dynamic device checking, resource and the data that code-phase is closed.
In sum, the embodiment of the present invention provides secure access authentication method, user terminal and service end are passed through
The mode of the double authentication that device authentication and application authorize can be effectively ensured the application of user terminal and access application service end
Information Security.Prevent assailant from passing through by dynamic device access credentials technology in the case of user account and password are stolen
Third party's unauthorized device accesses service or the intrusion behavior of application account-related information.The present invention is by the stream of lasting automatization
Journey produces dynamic device voucher, encrypts and verifies that saving each user applies account access to be manually entered secondary user's identifying code
Step.The present invention prevents man-in-the-middle attack by doubled sign mechanism thus ensures to share the end-to-end security of code.The present invention is led to
Cross dynamic device checking and share the raising violence attack of ink recorder system and antibiosis day attacking ability;Mandate intelligent movable equipment of the present invention
Other equipment of mandate after code verification mode prevents authority checking code stolen are shared based on dynamic device checking by checking;The present invention
Also providing for a kind of safety, quick and automatic key updating mode reaches the system of low cost and threatens reply cost and safeguard into
This;The present invention provides the mode of a kind of extended authentication client key, realizes difficulty not increasing AES and does not affect execution
Achieve extension in the case of efficiency, make the client device that can manage be greatly increased, solve versatility problem.The present invention
Described method is passed through authorizing access authentication mechanism on the computer intelligence equipment accessed by application account, stolen at password
After, third party device can not access owing to being not authorized to, system and account-holder due to can very first time perception close
Code is revealed and remedies security breaches in time.
Can help enterprise by the present invention, the professional application network management of mechanism is initiated the border that application accesses, and is set
Standby.User can by the way of above-mentioned authorisation device application relation.The present invention is suitable for Self-Service pattern, is suitable for changeable, spirit
The public user demand lived.Corporate intranet can configure in the way of taking operation department orally to use affiliated enterprise of automatization automatically should
With and device relationships, thus save the process of the self-service mandate of each employee, thus realize enterprise IT access end equipment border control.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware
Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code
The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce
A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real
The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to
Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter
Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or
The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function specified in individual square frame or multiple square frame.
It should be noted that in this article, the relational terms of such as first and second or the like is used merely to a reality
Body or operation separate with another entity or operating space, and deposit between not necessarily requiring or imply these entities or operating
Relation or order in any this reality.And, term " includes ", " comprising " or its any other variant are intended to
Comprising of nonexcludability, so that include that the process of a series of key element, method, article or equipment not only include that those are wanted
Element, but also include other key elements being not expressly set out, or also include for this process, method, article or equipment
Intrinsic key element.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that
Including process, method, article or the equipment of described key element there is also other identical element.Term " on ", D score etc. refers to
The orientation shown or position relationship, for based on orientation shown in the drawings or position relationship, are for only for ease of the description present invention and simplification
Describe rather than indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and behaviour
Make, be therefore not considered as limiting the invention.Unless otherwise clearly defined and limited, term " install ", " being connected ",
" connect " and should be interpreted broadly, connect for example, it may be fixing, it is also possible to be to removably connect, or be integrally connected;Can be
It is mechanically connected, it is also possible to be electrical connection;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two
The connection of element internal.For the ordinary skill in the art, can understand that above-mentioned term is at this as the case may be
Concrete meaning in invention.
In the description of the present invention, illustrate a large amount of detail.Although it is understood that, embodiments of the invention can
To put into practice in the case of there is no these details.In some instances, it is not shown specifically known method, structure and skill
Art, in order to do not obscure the understanding of this description.Similarly, it will be appreciated that disclose to simplify the present invention and help to understand respectively
One or more in individual inventive aspect, above in the description of the exemplary embodiment of the present invention, each of the present invention is special
Levy and be sometimes grouped together in single embodiment, figure or descriptions thereof.But, should be by the method solution of the disclosure
Release in reflecting an intention that i.e. the present invention for required protection requires than the feature being expressly recited in each claim more
Many features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above
Execute all features of example.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention,
The most each claim itself is as the independent embodiment of the present invention.It should be noted that in the case of not conflicting, this
Embodiment in application and the feature in embodiment can be mutually combined.The invention is not limited in any single aspect, also
It is not limited to any single embodiment, is also not limited to these aspects and/or the combination in any of embodiment and/or displacement.And
And, can be used alone each aspect of the present invention and/or embodiment or with other aspects one or more and/or its implement
Example is used in combination.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;To the greatest extent
The present invention has been described in detail by pipe with reference to foregoing embodiments, it will be understood by those within the art that: it depends on
So the technical scheme described in foregoing embodiments can be modified, or the most some or all of technical characteristic is entered
Row equivalent;And these amendments or replacement, do not make the essence of appropriate technical solution depart from various embodiments of the present invention technology
The scope of scheme, it all should be contained in the middle of the claim of the present invention and the scope of description.
Claims (28)
1. a secure access authentication method, it is characterised in that including:
User terminal sends facility registration message to equipment application relation service for checking credentials end and sets up equipment secure registration relation;
Described user terminal sends authorization request message to described equipment application relation service for checking credentials end, and according to described equipment
Secure registration relation sets up application and account and equipment secure registration relation;
Described user terminal provides service end to send application log on request message to application;
Described application provides service end to send to described user terminal and requires equipment application verification message;
Described user terminal provides service end to send equipment application access credentials message to described application;
Described application provides service end to process and sends the application of described equipment to described equipment application relation service for checking credentials end and accesses
Credential message;
Described equipment application relation service for checking credentials end according to described application and account with equipment secure registration relation to described equipment
Application access credentials information authentication, and provide service end to send application safety access registrar result to application;
Application provides service end according to the application log on request message of described application safety access registrar result response user terminal.
Secure access authentication method the most according to claim 1, it is characterised in that described user terminal should to equipment
Set up equipment secure registration relation by relation service for checking credentials end transmission facility registration message to include;
Described user terminal and described equipment application relation service for checking credentials end are consulted the first dynamic device checking and are shared code and second
Code is shared in dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end;Described equipment should
It is the first shared code of dynamic device checking that described first dynamic device checking shares that code division pairing is answered with relation service for checking credentials end
Registration ID, code registration ID is shared in the second dynamic device checking answered for described second dynamic device checking shared code division pairing;
Described equipment application relation service for checking credentials end dynamically sets according to described the first of described equipment application relation service for checking credentials end
Code is shared in standby checking and the shared code of the second dynamic device checking generates the first dynamic key identification and shares code;
Described equipment application relation service for checking credentials end sends the described first dynamic device checking of band to described user terminal and shares code
Registration ID and the checking of the second dynamic device are shared the dynamic device of code registration ID and are shared code checking message;Wherein, dynamic device is common
Enjoy code checking message to include: dynamic device shares code checking message sub-message body voucher, dynamic device shares code checking message label
Name;
Described user terminal shares code according to the described first dynamic device checking of described user terminal and the second dynamic device is tested
Card is shared code checking dynamic device and is shared code checking message sub-message body voucher, uses described equipment application relation authentication server
Dynamic device described in public key verifications shares code checking information signature, generates facility registration voucher after being verified;
Described user terminal sends to described equipment application relation service for checking credentials end and carries described facility registration voucher, and described first
Code registration ID and the facility registration message of the second dynamic device checking shared code registration ID are shared in dynamic device checking;
Described equipment application relation service for checking credentials end is according to the described first dynamic device checking in described facility registration message altogether
Enjoy code registration ID and the second dynamic device checking share code registration ID corresponding described in equipment application relation service for checking credentials end
Code is shared in first dynamic device checking, described second dynamic device checking is shared code and verified described facility registration message;
After described facility registration information authentication passes through, described equipment application relation service for checking credentials end carries to user terminal feedback and sets
Standby accreditation verification result and described first dynamic key identification are shared the facility registration of code and are confirmed message.
Secure access authentication method the most according to claim 2, it is characterised in that described facility registration message bag
Include: code registration ID shared by facility registration voucher, the first dynamic device checking, the second dynamic device checking is shared in code registration ID
One or more.
Secure access authentication method the most according to claim 2, it is characterised in that described dynamic device is shared code and tested
Card message includes:
Dynamic device is shared code and is verified that main message body and dynamic device share code checking information signature;
Described dynamic device is shared the code checking main message body of message and is included that dynamic device is shared the code checking sub-message body of message and moves
State collaborative share code checking message sub-message body voucher;
Described sub-message body includes that code registration ID is shared in the first dynamic device checking and code registration is shared in the checking of the second dynamic device
ID and random number salt figure;
It is that code and described is shared in described first dynamic device checking that described dynamic device shares code checking message sub-message body voucher
Second dynamic device checking shares what code produced;
It is that described equipment application relation authentication server uses private key to dynamic that described dynamic device shares code checking information signature
State collaborative share code checking message main message body signature obtains.
Secure access authentication method the most according to claim 1, it is characterised in that to described in described user terminal
Equipment application relation service for checking credentials end sends authorization request message, and sets up application and account according to described equipment secure registration relation
Family includes with equipment secure registration relation:
The application authorization request message that described application provides service end to receive described user terminal processes, and sends to described equipment
Application relation service for checking credentials end;
It is concurrent that described equipment application relation service for checking credentials end generates dynamic authorization code ciphertext according to described application authorization request message
Deliver to described application and service end is provided;
Described application provides service end sequentially to send described dynamic authorization code ciphertext and stochastic generation number to described user terminal;
The authorization response that described user terminal generates band authorized certificate according to described dynamic authorization code and described stochastic generation number disappears
Ceasing and send and provide service end to described application, described authorization messages includes that described stochastic generation number and dynamic authorization code are close
Literary composition;
The authorization response message that described application provides service end to receive described user terminal processes, and the extremely described equipment that sends is applied
Relation service for checking credentials end;
After described equipment application relation service for checking credentials end verifies described authorization response message according to described equipment secure registration relation,
Verify described dynamic authorization code ciphertext again and provide service end to confirm result to user terminal feedback application by described application.
Secure access authentication method the most according to claim 5, it is characterised in that described equipment application relation is verified
Service end generates dynamic authorization code ciphertext according to described application authorization request message and includes:
Dynamic authorization code is generated according to described authorization request message;
Dynamic authorization key is generated according to described authorization request message;
Use dynamic authorization code encryption described in described dynamic authorization double secret key;
By include described dynamic authorization code ciphertext and the first dynamic key identification share code authorization code message send to the most described should
With providing service end.
Secure access authentication method the most according to claim 5, it is characterised in that described equipment application relation is verified
After service end verifies described authorization response message according to described equipment secure registration relation, then verify authorization code ciphertext and pass through institute
Stating application provides service end to confirm that result includes to user terminal feedback application:
Whether the authorized certificate in use equipment secure registration relation checking message mates;Then equipment secure registration relation is used
The authorization code secret key decryption authorization code ciphertext of service end, the authorization code after checking deciphering and the described equipment application relation service for checking credentials
Whether the authorization code of end distribution mates;
If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate and equipment
Relation is added in equipment list of application.
Secure access authentication method the most according to claim 1, it is characterised in that also include updating described equipment peace
Entirely register relation:
Described user terminal and described equipment application relation service for checking credentials end are consulted the 3rd dynamic device checking and are shared code and the 4th
Code is shared in dynamic device checking, is respectively stored in user terminal and described equipment application relation service for checking credentials end;
Described equipment application relation service for checking credentials end dynamically sets according to the described 3rd of described equipment application relation service for checking credentials end the
Code is shared in standby checking and the shared code of the 4th dynamic device checking generates the second dynamic key identification and shares code;
Described equipment application relation service for checking credentials end sends to described user terminal and carries described second dynamic key identification to share code
With the requirement renewal of the equipment message that code is shared in the first dynamic key identification;
Described user terminal shares code, the second dynamic device checking according to the described first dynamic device checking of described user terminal
Share code, code is shared in described first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared
Code and the second dynamic key identification are shared code and are generated dynamic equipment upgrading message, and send to described equipment application relation checking clothes
Business end;Described dynamic equipment upgrading message includes that code is shared in user terminal more new registration voucher, described first dynamic key identification
Code is shared with described second dynamic key identification;
Described equipment application relation service for checking credentials end is tested according to the first dynamic device of described equipment application relation service for checking credentials end
Card shares code, code is shared in the second dynamic device checking, code is shared in described first dynamic key identification, the 3rd dynamic device is verified altogether
Enjoy code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified described dynamic equipment upgrading message;
Described equipment application relation service for checking credentials end is tested according to the 3rd dynamic device of described equipment application relation service for checking credentials end
Card shares code, code is shared in the 4th dynamic device checking, code is shared in the second dynamic key identification, the first dynamic device checking is shared
Code, the second dynamic device checking share code and described first dynamic key identification is shared code and generated renewal of the equipment confirmation message;
Described equipment application relation service for checking credentials end updates accreditation verification result to user terminal feedback device.
Secure access authentication method the most according to claim 8, it is characterised in that described equipment application relation is verified
Service end updates accreditation verification result to user terminal feedback device and includes:
Described equipment application relation service for checking credentials end updates to user terminal feedback device and confirms message;
The 3rd dynamic device that described user terminal shares code corresponding according to the second dynamic key identification of described user terminal is tested
Demonstrate,prove and share code and the main message body voucher of the 4th dynamic device checking shared yardage calculation described renewal of the equipment confirmation message, and according to
The first shared code and second of dynamic device checking that first dynamic key identification of described user terminal shares code corresponding dynamically sets
Standby checking is shared yardage and is calculated the sub-message body voucher of described renewal of the equipment confirmation message, main message body voucher calculating arrived and son
Message body voucher compares checking with the corresponding main message body voucher and the sub-message body voucher that send in message;
As checking is all passed through, the 3rd dynamic device checking of described user terminal is shared code by the most described user terminal, and the 4th moves
Code is shared in state device authentication and corresponding described second dynamic key identification is shared code and is set as the state of succeeding in registration;
Described user terminal preserves described second dynamic key identification and shares code;
Described user terminal sends to described equipment application relation service for checking credentials end to carry and uses the 3rd of described user terminal to move
Code is shared in state device authentication and facility registration voucher and described second dynamic key that code produces is shared in the checking of the 4th dynamic device
Identify the renewal of the equipment registration message sharing code;
Described equipment application relation service for checking credentials end is tested according to the 3rd dynamic device of described equipment application relation service for checking credentials end
Card shares code, code is shared in the 4th dynamic device checking and the second dynamic key identification is shared code and verified that described renewal of the equipment registration disappears
Breath;
Described equipment application relation service for checking credentials end updates accreditation verification result to user terminal feedback device.
Secure access authentication method the most according to claim 8, it is characterised in that described user terminal updates note
Volume voucher includes described dynamic equipment upgrading message main message body voucher and described dynamic equipment upgrading message sub-message body voucher:
Described dynamic equipment upgrading message sub-message body voucher is that described user terminal is according to the described 3rd of described user terminal
Code is shared in dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
Described dynamic equipment upgrading message main message body voucher is that described user terminal is according to described the first of described user terminal
Code is shared in dynamic device checking and the shared code of the second dynamic device checking is calculated.
11. secure access authentication methods according to claim 1, it is characterised in that described require equipment application test
Card message carries Dialog processing ID.
12. secure access authentication methods according to claim 1, it is characterised in that described user terminal is to described
Application provides service end transmission equipment application access credentials message to include:
Produce equipment application access credentials message body including described Dialog processing ID;Calculate corresponding with described Dialog processing ID
Equipment application access credentials message body voucher;
Generate and include that the equipment application of equipment application access credentials message body and equipment application access credentials message body voucher accesses
Credential message;
Transmission equipment application access credentials message provides server to application.
13. secure access authentication methods according to claim 1, it is characterised in that described equipment application relation is tested
Card service end according to described application and account with equipment secure registration relation to described equipment application access credentials information authentication:
Use the first dynamic key identification share code application relation authentication server in search first dynamic device checking share
Code is shared in code and the checking of the second dynamic device;
Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage calculation equipment application access credentials and disappeared
The message body voucher of breath;
Relatively calculate gained voucher the most consistent with the voucher sent in message;If result is consistent, check correspondence the most further
Application and account and equipment secure registration relation whether there is application and the mandate relation of account of request in message, thus
To checking result.
14. 1 kinds of secure access certification user terminals, it is characterised in that including:
Facility registration unit, sets up equipment secure registration for sending facility registration message to equipment application relation service for checking credentials end
Relation;
Application granted unit, for sending authorization request message to described equipment application relation service for checking credentials end, and according to described
Equipment secure registration relation sets up application and account and equipment secure registration relation;
Log on request unit, for providing service end to send application log on request message to application;
Safety certification request unit, sets for providing service end to send to described equipment application relation service for checking credentials end by application
Standby application verification asks message;Described equipment application access credentials message is that application provides service end to described log on request unit
The requirement equipment application verification message sent generates;
Login unit, for according to described application provide service end log in response results response log on request message, described in step on
Land response results is that application provides service end according to application described in described equipment application relation service for checking credentials end and account and equipment
Secure registration relation is to generation after described equipment application access credentials information authentication.
15. secure access certification user terminals according to claim 14, it is characterised in that facility registration unit, including:
Code negotiation element is shared in first dynamic device checking, for described equipment application relation service for checking credentials end negotiation generation the
Code is shared in one dynamic device checking and code is shared in the checking of the second dynamic device, and be respectively stored in user terminal and described equipment should
With relation service for checking credentials end;
Facility registration request unit, for generate and to described equipment application relation service for checking credentials end send Portable device register with
The facility registration message of card;Described facility registration message includes: code registration ID and second dynamic is shared in the first dynamic device checking
Code registration ID is shared in device authentication;
It is described that code registration ID and described second dynamic device checking shared code registration ID is shared in described first dynamic device checking
Equipment application relation service for checking credentials end is that code is shared in described first dynamic device checking and code division is shared in the checking of the second dynamic device
The corresponding registration ID joined sends to described user terminal after generating;
Described facility registration message be according to described in be stored in the described first dynamic device checking of user terminal and share code and the
Code is shared in two dynamic device checkings, and described first dynamic device checking shared code registration ID and the checking of the second dynamic device are altogether
Enjoy what code registration ID generated;
Facility registration confirmation unit, shares for receiving the first dynamic key identification of described equipment application relation service for checking credentials end
Code and accreditation verification result verification preserving, described accreditation verification result is that described equipment application relation service for checking credentials end is according to institute
Code is shared in the first dynamic device checking stating equipment application relation service for checking credentials end, the second dynamic device checking is shared code and shared code
Obtain after verifying described facility registration message;
It is that described equipment application relation service for checking credentials end closes according to the application of described equipment that code is shared in described first dynamic key identification
It is the described first shared code of dynamic device checking and the second dynamic device checking shared code generation of service for checking credentials end.
16. secure access certification user terminals according to claim 15, it is characterised in that described facility registration message bag
Include: code registration ID shared by facility registration voucher, the first dynamic device checking, code registration ID is shared in the second dynamic device checking.
17. secure access certification user terminals according to claim 14, it is characterised in that described application granted unit,
Including;
Application authorization requests unit, is used for generating and providing service end to send by described application testing to described equipment application relation
Card service end sends authorization request message;
Application authorization response unit, is used for generating and providing service end to send by described application testing to described equipment application relation
Card service end sends authorization response message;Described authorization response message is to generate according to dynamic authorization code ciphertext and stochastic generation number
, described authorization response message band authorized certificate;Described dynamic authorization code ciphertext is described equipment application relation service for checking credentials end
Thering is provided service end to send by described application after generating according to described application authorization request message, described stochastic generation number is institute
Stating application provides service end to send after described user terminal sends described dynamic authorization code;
Application license confirmation unit, for receiving the application license confirmation result verification of described equipment application relation service for checking credentials end
And preserve, described license confirmation result is that described equipment application relation service for checking credentials end is according to described equipment application relation checking clothes
Code is shared in first dynamic device checking of business end, code is shared in the second dynamic device checking and the first dynamic key identification is shared code and tested
After demonstrate,proving described authorization response message, then verify what authorization code ciphertext obtained.
18. secure access certification user terminals according to claim 14, it is characterised in that described log on request unit,
Also include applying access credentials unit for producing equipment application access credentials message body;Calculating equipment application access credentials message
Body voucher;Generate and include that the equipment application of equipment application access credentials message body and equipment application access credentials message body voucher is visited
Ask credential message;Server is provided to send equipment application access credentials message to application.
19. secure access certification user terminals according to claim 14, it is characterised in that also including, facility registration is more
New unit, including:
Code negotiation element is shared in second dynamic device checking, for described equipment application relation service for checking credentials end negotiation generation the
Codes are shared in three dynamic devices checkings and code is shared in the checking of the 4th dynamic device, and be respectively stored in user terminal and described equipment should
With relation service for checking credentials end;
Renewal of the equipment registration request unit, for generating and sending Portable device more to described equipment application relation service for checking credentials end
The dynamic equipment upgrading message of new voucher;Described dynamic equipment upgrading message be according to described in be stored in user terminal according to institute
Code is shared in the described first dynamic device checking stating user terminal, code is shared in the second dynamic device checking, described first the closeest
Code is shared in key identification, code is shared in the 3rd dynamic device checking, code and the second dynamic key identification are shared in the 4th dynamic device checking
Share what code generated, described second dynamic key identification share code be described equipment application relation service for checking credentials end according to described in set
Code is shared in the described 3rd dynamic device checking of standby application relation service for checking credentials end and the checking of the 4th dynamic device is shared code and generated
Send to described user terminal afterwards;
Renewal of the equipment accreditation verification unit, for receiving the accreditation verification result verification of described equipment application relation service for checking credentials end
And preserve, described renewal accreditation verification result is that described equipment application relation service for checking credentials end is tested according to described equipment application relation
Code is shared in first dynamic device checking of card service end, code, described first dynamic key identification are shared in the second dynamic device checking
Share code, code is shared in the second dynamic device checking, code is shared in the 3rd dynamic device checking and code is shared in the 4th dynamic key identification
Obtain after verifying described dynamic equipment upgrading message.
20. secure access certification user terminals according to claim 16, it is characterised in that described user terminal updates note
Volume voucher includes dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher:
Described dynamic equipment upgrading message sub-message body voucher is that described user terminal is according to the described 3rd of described user terminal
Code is shared in dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
User terminal described in described dynamic equipment upgrading message main message body voucher moves according to described the first of described user terminal
Code is shared in state device authentication and the shared code of the second dynamic device checking is calculated.
21. 1 kinds of equipment application relation service for checking credentials ends, it is characterised in that including:
Facility registration confirmation unit, the facility registration message sent for accepting user terminal sets up equipment secure registration relation;
Application license confirmation unit, for receiving the authorization request message that user terminal sends, and notes safely according to described equipment
Volume relation sets up application and account and equipment secure registration relation;
Safety certification request confirmation unit, disappears for receiving the equipment application access credentials providing service end to send by application
Breath;Described equipment application access credentials message is that the requirement equipment that application provides service end to send to described log on request unit is answered
With checking message generation;
Log in response unit, for according to described application and account and equipment secure registration relation the application of described equipment accessed with
Generate application safety access registrar result after card information authentication and log in response results by applying offer service end to send, described
User terminal provides the response results that logs in of service end to respond log on request message according to described application.
22. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described facility registration confirms
Unit includes:
Code negotiation element is shared in first dynamic device checking, consults the first dynamic device checking for producing with described user terminal
Share code and code is shared in the checking of the second dynamic device, and be respectively stored in user terminal and the described equipment application relation service for checking credentials
End;Share code for described first dynamic device checking and that the checking of the second dynamic device shares that code division pairing answers is described first dynamic
Code registration ID is shared in device authentication and code registration ID is shared in the checking of the second dynamic device;
Code signal generating unit is shared in first dynamic key identification, for described the according to described equipment application relation service for checking credentials end
Code is shared in one dynamic device checking and the checking of the second dynamic device is shared code and generated and to send first to described user terminal dynamic
Code is shared in key identification;
Facility registration confirmation unit, the facility registration message sent for receiving described user terminal is closed according to the application of described equipment
It is the first shared code of dynamic device checking of service for checking credentials end, the second shared code of dynamic device checking and the first dynamic key identification
After sharing the code described facility registration message of checking, and send facility registration confirmation result to described user terminal;Described equipment is noted
Volume message is that code and the checking of the second dynamic device are shared in the described first dynamic device checking being stored in user terminal described in basis
Share code and code registration ID is shared in described first dynamic device checking and the checking of the second dynamic device is shared code registration ID and generated
, code registration ID and second is shared in described facility registration message Portable device registration voucher and described first dynamic device checking
Code registration ID is shared in dynamic device checking.
23. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that application license confirmation unit
Including;
Application authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to described application mandate
Request message generates dynamic authorization code ciphertext provides service end to send to described user terminal by described application;
Application authorization response processing unit, receives the authorization response message that user terminal sends, and closes according to the application of described equipment
It is the first shared code of dynamic device checking of service for checking credentials end, the second shared code of dynamic device checking and the first dynamic key identification
Share code to verify after described authorization response message, then after verifying dynamic authorization code ciphertext, generate authorization notification message and by answering
Send to described user terminal with providing service end;Described authorization response message is that described user terminal is according to described dynamic authorization
Code ciphertext and stochastic generation number generate, and described authorization response message band authorized certificate, described stochastic generation number is described application
Service end is provided to send after described user terminal sends dynamic authorization code ciphertext.
24. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described equipment application relation
Service for checking credentials end generates dynamic authorization code according to described application authorization request message and includes:
Dynamic authorization code is generated according to described authorization request message;
Dynamic authorization key is generated according to described authorization request message;
Use dynamic authorization code encryption described in described dynamic authorization double secret key;
Service end is provided to described application by described dynamic authorization code ciphertext transmission.
25. equipment application relation service for checking credentials ends according to claim 24, it is characterised in that described generation authorization notification
Message includes:
Whether the authorized certificate in use equipment secure registration relation checking message mates;Then equipment secure registration relation is used
The authorization code ciphertext of corresponding authorization code secret key decryption, the authorization code after checking deciphering and the described equipment application relation service for checking credentials
Whether the authorization code of end distribution mates;
If all passing through coupling, by application corresponding for this authorization code, ID, the service operations of mandate and the time of mandate with equipment
Relation is added in equipment list of application.
26. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that described in log in response unit
Also including, log on request authentication unit is used for,
Use the first dynamic key identification share code application relation authentication server in search first dynamic device checking share
Code is shared in code and the checking of the second dynamic device;
Use the first dynamic device checking to share code and the checking of the second dynamic device is shared yardage calculation equipment application access credentials and disappeared
The message body voucher of breath;
The most consistent with the voucher sent in message for comparing calculating gained voucher;
If result is consistent, then check whether corresponding application and account and equipment secure registration relation have in message further
The application of request and the mandate relation of account, thus obtain checking result.
27. equipment application relation service for checking credentials ends according to claim 21, it is characterised in that also include, facility registration
Renewal confirmation unit:
Code negotiation element is shared in second dynamic device checking, for consulting the 3rd dynamic device checking altogether with the described user terminal that sets
Enjoy code and code is shared in the checking of the 4th dynamic device, and be respectively stored in user terminal and the described equipment application relation service for checking credentials
End;
Code signal generating unit is shared in second dynamic key identification, for described the according to described equipment application relation service for checking credentials end
Codes are shared in three dynamic devices checkings and the checking of the 4th dynamic device is shared code and generated and to send second to described user terminal dynamic
Code is shared in key identification.
Renewal of the equipment registration request confirmation unit, for receiving the dynamic equipment upgrading message that user terminal sends, and according to institute
Code is shared in the first dynamic device checking stating equipment application relation service for checking credentials end, code, described is shared in the second dynamic device checking
Code is shared in first dynamic key identification, code is shared in the 3rd dynamic device checking, the 4th dynamic device checking is shared code and second and moved
State key identification is shared and is obtained updating registration confirmation message after code verifies described dynamic equipment upgrading message, and to described user eventually
End sends;Described dynamic equipment upgrading message be according to described in be stored according to described user terminal described the of user terminal
Code is shared in one dynamic device checking, the second dynamic device checking is shared code, described first dynamic key identification and shared code, the 3rd moves
Code is shared in state device authentication, code is shared in the 4th dynamic device checking and the second dynamic key identification shares what code generated;Dynamically set
Standby more new information Portable device more new registration voucher.
28. equipment application relation service for checking credentials ends according to claim 27, it is characterised in that described family terminal updates note
Volume voucher includes dynamic equipment upgrading message main message body voucher and dynamic equipment upgrading message sub-message body voucher:
Described dynamic equipment upgrading message sub-message body voucher is that described user terminal is according to the described 3rd of described user terminal
Code is shared in dynamic device checking and the shared code of the 4th dynamic device checking is calculated;
User terminal described in described dynamic equipment upgrading message main message body voucher moves according to described the first of described user terminal
Code is shared in state device authentication and the shared code of the second dynamic device checking is calculated.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2016102046348 | 2016-04-03 | ||
CN201610204634.8A CN105743916A (en) | 2016-04-03 | 2016-04-03 | Information processing method, system and device for enhancing access security |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106302502A true CN106302502A (en) | 2017-01-04 |
CN106302502B CN106302502B (en) | 2019-08-02 |
Family
ID=56252769
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610204634.8A Withdrawn CN105743916A (en) | 2016-04-03 | 2016-04-03 | Information processing method, system and device for enhancing access security |
CN201610757520.6A Expired - Fee Related CN106302502B (en) | 2016-04-03 | 2016-08-29 | A kind of secure access authentication method, user terminal and server-side |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610204634.8A Withdrawn CN105743916A (en) | 2016-04-03 | 2016-04-03 | Information processing method, system and device for enhancing access security |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN105743916A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108920924A (en) * | 2018-06-20 | 2018-11-30 | 甘肃万维信息技术有限责任公司 | A kind of data sharing method based on recognition of face |
CN110222531A (en) * | 2019-05-31 | 2019-09-10 | 阿里巴巴集团控股有限公司 | A kind of method, system and equipment accessing database |
CN110235424A (en) * | 2017-01-20 | 2019-09-13 | 三星电子株式会社 | For providing the device and method with managing security information in a communications system |
CN110352411A (en) * | 2017-03-20 | 2019-10-18 | 华为技术有限公司 | Method and apparatus for controlling the access to safe computing resource |
CN111062026A (en) * | 2019-12-11 | 2020-04-24 | 维沃移动通信有限公司 | Verification information sharing method and electronic equipment |
CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
CN114422266A (en) * | 2022-02-28 | 2022-04-29 | 深圳市中悦科技有限公司 | IDaaS system based on dual verification mechanism |
CN117331964A (en) * | 2023-12-01 | 2024-01-02 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106411580A (en) * | 2016-09-14 | 2017-02-15 | 努比亚技术有限公司 | Device management client and server, and device management methods |
US10419448B2 (en) * | 2017-01-09 | 2019-09-17 | Microsoft Technology Licensing, Llc | Enhanced email service |
CN108337555B (en) * | 2018-01-10 | 2021-06-01 | 西安万像电子科技有限公司 | Data display method and system and wearable device |
CN108419225B (en) * | 2018-03-16 | 2020-12-04 | 上海百联集团股份有限公司 | Authorization end, authorized end, server and authorization method |
CN108881256B (en) * | 2018-06-29 | 2021-09-07 | 北京旅居四方科技有限公司 | Secret key exchange method and device, hydroelectric pile and network equipment |
CN109147202B (en) * | 2018-08-02 | 2021-05-11 | 深圳市朗仁科技有限公司 | Shared bicycle control method and device |
CN110708156B (en) * | 2019-09-26 | 2023-05-30 | 中电万维信息技术有限责任公司 | Communication method, client and server |
CN111176710B (en) * | 2019-12-30 | 2023-10-03 | 宁波视睿迪光电有限公司 | Operation method of terminal software management system and terminal software management system |
CN112685702A (en) * | 2020-02-28 | 2021-04-20 | 乐清市川嘉电气科技有限公司 | Intelligent dynamic authorization system for external visitors |
CN112000942B (en) * | 2020-10-30 | 2021-01-22 | 成都掌控者网络科技有限公司 | Authority list matching method, device, equipment and medium based on authorization behavior |
CN112039677B (en) * | 2020-11-05 | 2021-03-16 | 飞天诚信科技股份有限公司 | Method and system for code scanning operation processing based on server |
CN113543123B (en) * | 2021-07-23 | 2024-02-20 | 闻泰通讯股份有限公司 | Method and device for dynamically setting authority of wireless network |
CN115225330A (en) * | 2022-06-21 | 2022-10-21 | 中国电信股份有限公司 | Data encryption method and device, electronic equipment and storage medium |
CN115473655B (en) * | 2022-11-07 | 2023-01-10 | 南京易科腾信息技术有限公司 | Terminal authentication method, device and storage medium for access network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1822541A (en) * | 2006-03-31 | 2006-08-23 | 北京飞天诚信科技有限公司 | Device and method for controlling computer access |
CN102299930A (en) * | 2011-09-19 | 2011-12-28 | 北京无限新锐网络科技有限公司 | Method for ensuring security of client software |
CN104683296A (en) * | 2013-11-28 | 2015-06-03 | 中国电信股份有限公司 | Safe authentication method and safe authentication system |
-
2016
- 2016-04-03 CN CN201610204634.8A patent/CN105743916A/en not_active Withdrawn
- 2016-08-29 CN CN201610757520.6A patent/CN106302502B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1822541A (en) * | 2006-03-31 | 2006-08-23 | 北京飞天诚信科技有限公司 | Device and method for controlling computer access |
CN102299930A (en) * | 2011-09-19 | 2011-12-28 | 北京无限新锐网络科技有限公司 | Method for ensuring security of client software |
CN104683296A (en) * | 2013-11-28 | 2015-06-03 | 中国电信股份有限公司 | Safe authentication method and safe authentication system |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110235424A (en) * | 2017-01-20 | 2019-09-13 | 三星电子株式会社 | For providing the device and method with managing security information in a communications system |
CN110235424B (en) * | 2017-01-20 | 2022-03-08 | 三星电子株式会社 | Apparatus and method for providing and managing security information in a communication system |
CN110352411A (en) * | 2017-03-20 | 2019-10-18 | 华为技术有限公司 | Method and apparatus for controlling the access to safe computing resource |
CN108920924A (en) * | 2018-06-20 | 2018-11-30 | 甘肃万维信息技术有限责任公司 | A kind of data sharing method based on recognition of face |
CN110222531A (en) * | 2019-05-31 | 2019-09-10 | 阿里巴巴集团控股有限公司 | A kind of method, system and equipment accessing database |
CN110222531B (en) * | 2019-05-31 | 2023-07-07 | 创新先进技术有限公司 | Method, system and equipment for accessing database |
CN111062026A (en) * | 2019-12-11 | 2020-04-24 | 维沃移动通信有限公司 | Verification information sharing method and electronic equipment |
CN111062026B (en) * | 2019-12-11 | 2022-06-17 | 维沃移动通信有限公司 | Verification information sharing method and electronic equipment |
CN111953664A (en) * | 2020-07-27 | 2020-11-17 | 新浪网技术(中国)有限公司 | User request verification method and system based on variable security level |
CN114422266A (en) * | 2022-02-28 | 2022-04-29 | 深圳市中悦科技有限公司 | IDaaS system based on dual verification mechanism |
CN117331964A (en) * | 2023-12-01 | 2024-01-02 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
CN117331964B (en) * | 2023-12-01 | 2024-02-27 | 成都明途科技有限公司 | Data query method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106302502B (en) | 2019-08-02 |
CN105743916A (en) | 2016-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106302502B (en) | A kind of secure access authentication method, user terminal and server-side | |
CN108768988B (en) | Block chain access control method, block chain access control equipment and computer readable storage medium | |
CN108064440B (en) | FIDO authentication method, device and system based on block chain | |
CN108270571B (en) | Internet of Things identity authorization system and its method based on block chain | |
CN104065652B (en) | A kind of auth method, device, system and relevant device | |
US11882442B2 (en) | Handset identifier verification | |
US9118661B1 (en) | Methods and apparatus for authenticating a user using multi-server one-time passcode verification | |
CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
US9780950B1 (en) | Authentication of PKI credential by use of a one time password and pin | |
CN111429254A (en) | Business data processing method and device and readable storage medium | |
CN108235805A (en) | Account unifying method and device and storage medium | |
US20150349960A1 (en) | Two factor authentication using a protected pin-like passcode | |
CN106899410A (en) | A kind of method and device of equipment identities certification | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
CN109618326A (en) | User's dynamic identifier generation method and service registration method, login validation method | |
Jeong et al. | An efficient authentication system of smart device using multi factors in mobile cloud service architecture | |
US10856146B2 (en) | Electronic device verification | |
CN106230838A (en) | A kind of third-party application accesses the method and apparatus of resource | |
CN106027475B (en) | The transmission method and system of a kind of key acquisition method, ID card information | |
CN102413464A (en) | GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform | |
CN109474419A (en) | A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system | |
CN108667791A (en) | Auth method | |
CN105681340A (en) | Digital certificate use method and apparatus | |
CN109525565A (en) | A kind of defence method and system for SMS interception attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20170828 Address after: 100107 Beijing Chaoyang District Wankexingyuan 4 Building 805 Applicant after: Guo Zhengzheng Address before: 100084 Beijing Zhongguancun East Road, No. 1, building No. 8, ground floor, No. CB108-018, No. Applicant before: BEIJING DONGSHI TECHNOLOGY Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190802 |
|
CF01 | Termination of patent right due to non-payment of annual fee |